Industry Trends

Prepare for Social Engineering Scams This Tax Return Season

By Aamir Lakhani | April 01, 2021

As the public prepares to file their taxes in many parts of the world, cyber criminals are waiting for their chance to exploit unsuspecting individuals who want the process to be as quick as possible. This issue is especially pertinent this year, as many are still working from home on various devices connected to unsecured networks. And while cyber criminals can be sophisticated in how they work to steal information, there are steps that anybody can take to avoid falling victim to a social engineering scam, especially during tax return season. 

Why Tax Return Season is a Beacon for Bad Actors

Social engineering attacks leverage uncertainty, stressful situations, and seasonal shifts in public attention and concern – all things that tax season is known for. Hence, for bad actors, this time of year is ripe for exploitation. This is even more true when there are significant changes in filing requirements or tax laws. 

In 2021, many people are seeking out information about economic impact payments, including how those payments will affect their taxes. There’s a new administration, new tax guidelines in the books, and a recent extension of the federal tax filing deadline. When there are these many changes, people become especially attuned to information that can help them understand how those same changes may affect them.

Taxpayers also want to make sure they maximize their refunds, and many are on the lookout for ways to simplify the filing process. So, when they receive an email that appears to be from the IRS offering to help them get their refund faster or warning that they’re in violation of some new law, it’s difficult not to click on it. 

Social Engineering Attack Styles to Look Out For

Cyber criminals are out in force, eager to prey on the stress and uncertainty surrounding the tax season. Attacks may take the form of phishing email campaigns or even phone calls from people claiming to be from the IRS or a collection agency. Stolen data may also equip these scammers with personal information, including social security numbers, making them appear legitimate even when they aren’t. 

In addition to phishing campaigns implemented via a “spray and pray” model of sending thousands of emails with the hopes that at least one person will fall victim, spear-phishing attacks are also on the rise. These types of attacks can be more difficult to detect than phishing because they come in the form of targeted, personalized emails that often sound like they were sent from someone who knows the recipient. While spear-phishing has traditionally been more challenging to implement, some advanced cyber criminals are now using machine learning and artificial intelligence to execute such attacks more efficiently.

Who is the Most Vulnerable to Social Engineering Attacks During Tax Return Season

Green card holders, small business owners, new taxpayers under the age of 25, and older taxpayers over the age of 60 are often prime targets for tax refund scams. Cyber criminals assume these Individuals may be less informed about tax policies and what to expect, in addition to being more vulnerable to emotional manipulation. Scams may claim that the potential victim has missed an important tax deadline for example, thereby pressuring victims to act fast out of fear. 

How to Protect Yourself Against Tax Refund Scams

Knowing what to look out for and how to handle suspect emails or phone calls can prevent anybody from falling victim to tax season social engineering attacks. Tips for effectively defending against social engineering attacks include: 

  • Look for grammatical issues and typos: Often, phishing emails contain errors that a keen eye can easily detect. If a message includes several spelling or grammar errors throughout, there is a good chance that it is not legitimate.
  • Be skeptical: Always consider any unexpected emails or phone calls claiming to be from the IRS or other government agencies to be suspect. If you are concerned about a sender or caller’s legitimacy, don’t give out any information right away. Instead, contact the IRS or government agency directly on your own to verify. 
  • Don’t share personal information: Whether over the phone or via email, don’t give out your social security number or credit card information. Beware that scammers may pressure you to do so and may try to convince you that if you don’t act immediately, something terrible will happen. 
  • Warn family and friends who may be more vulnerable to such attacks: Once you are protected, share this information with others, encourage them to get educated. Consider taking some free cybersecurity awareness training. Fortinet's NSE Training Institute can help.
  • Take steps to prevent attacks: Secure email gateway (SEG) solutions such as FortiMail can protect all inbound and outbound email traffic. FortiMail, in particular, integrates seamlessly with the Fortinet Security Fabric and is backed by FortiGuard Labs.

In addition to the tips noted above, it’s also critical to understand what is and isn’t normal communication from the IRS or equivalent. If you do encounter an IRS-related phone or email scam, you can report it to the Treasury Inspector General for Tax Administration via the form on the IRS Impersonation Scam Reporting website or by sending an email to phishing@irs.gov with the subject line “IRS Impersonation Scam.”

 

Final Thoughts on Social Engineering Attacks and Tax Return Season 

While tax return season can bring about stress, knowing the signs of a social engineering attack can significantly reduce these worries. By understanding how the IRS contacts individuals, what constitutes a legitimate message, and what information should be provided, anybody – from first-time tax filers to seasoned pros – can get ahead of cyber criminals and protect their data from getting into the wrong hands. 

Find out how the Fortinet Security Fabric delivers broad, integrated, and automated protection across an organization’s entire digital attack surface from IoT to the edge, network core and to multi-clouds.