As the public prepares to file their taxes in many parts of the world, cyber criminals are waiting for their chance to exploit unsuspecting individuals who want the process to be as quick as possible. This issue is especially pertinent this year, as many are still working from home on various devices connected to unsecured networks. And while cyber criminals can be sophisticated in how they work to steal information, there are steps that anybody can take to avoid falling victim to a social engineering scam, especially during tax return season.
Social engineering attacks leverage uncertainty, stressful situations, and seasonal shifts in public attention and concern – all things that tax season is known for. Hence, for bad actors, this time of year is ripe for exploitation. This is even more true when there are significant changes in filing requirements or tax laws.
In 2021, many people are seeking out information about economic impact payments, including how those payments will affect their taxes. There’s a new administration, new tax guidelines in the books, and a recent extension of the federal tax filing deadline. When there are these many changes, people become especially attuned to information that can help them understand how those same changes may affect them.
Taxpayers also want to make sure they maximize their refunds, and many are on the lookout for ways to simplify the filing process. So, when they receive an email that appears to be from the IRS offering to help them get their refund faster or warning that they’re in violation of some new law, it’s difficult not to click on it.
Cyber criminals are out in force, eager to prey on the stress and uncertainty surrounding the tax season. Attacks may take the form of phishing email campaigns or even phone calls from people claiming to be from the IRS or a collection agency. Stolen data may also equip these scammers with personal information, including social security numbers, making them appear legitimate even when they aren’t.
In addition to phishing campaigns implemented via a “spray and pray” model of sending thousands of emails with the hopes that at least one person will fall victim, spear-phishing attacks are also on the rise. These types of attacks can be more difficult to detect than phishing because they come in the form of targeted, personalized emails that often sound like they were sent from someone who knows the recipient. While spear-phishing has traditionally been more challenging to implement, some advanced cyber criminals are now using machine learning and artificial intelligence to execute such attacks more efficiently.
Green card holders, small business owners, new taxpayers under the age of 25, and older taxpayers over the age of 60 are often prime targets for tax refund scams. Cyber criminals assume these Individuals may be less informed about tax policies and what to expect, in addition to being more vulnerable to emotional manipulation. Scams may claim that the potential victim has missed an important tax deadline for example, thereby pressuring victims to act fast out of fear.
Knowing what to look out for and how to handle suspect emails or phone calls can prevent anybody from falling victim to tax season social engineering attacks. Tips for effectively defending against social engineering attacks include:
In addition to the tips noted above, it’s also critical to understand what is and isn’t normal communication from the IRS or equivalent. If you do encounter an IRS-related phone or email scam, you can report it to the Treasury Inspector General for Tax Administration via the form on the IRS Impersonation Scam Reporting website or by sending an email to firstname.lastname@example.org with the subject line “IRS Impersonation Scam.”
While tax return season can bring about stress, knowing the signs of a social engineering attack can significantly reduce these worries. By understanding how the IRS contacts individuals, what constitutes a legitimate message, and what information should be provided, anybody – from first-time tax filers to seasoned pros – can get ahead of cyber criminals and protect their data from getting into the wrong hands.
Find out how the Fortinet Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.