Tax season is now upon us. It’s time to gather the necessary paperwork and assemble those tax returns. It’s also time to think about how to keep ourselves safe during this season. In 2018, the Internal Revenue Service (IRS) saw a 60% increase in phishing emails. As dismaying as that may seem, understanding how tax fraud is perpetrated through social engineering will help you recognize these attempts and prevent them from harming you.
How do cybercriminals do it?
The easiest way for cybercriminals to get your personal information is to convince you to give it to them. Social engineering is the exploitation of people’s willingness to trust. By posing as reputable people or organizations, scammers trick people into handing over their sensitive or restricted information.
Whether through phishing (emails) or vishing (voice calls), the IRS has seen an increase in these scams. Cybercriminals are impersonating the IRS and other tax officials by replicating the look and language of authentic communications to try to steal money and identities from taxpayers. These emails have subject lines like “IRS Important Notice” or “IRS Taxpayer Notice”; they often demand payment right away or threaten to seize refunds. They often direct you to a fraudulent website that asks you to enter your credentials or personal information. They could also have Tax Transcript attachments that if opened secretly download malware onto your computer. With phone calls, IRS impersonators might say you’re due a refund and ask for your bank account information.
How do you know if it’s really the IRS or not?
It’s important to note that the IRS does not send unsolicited emails or make phone calls to the public without first sending an official letter in the mail. In fact, the IRS will not:
- Email or call you unsolicited suggesting you have a refund, telling you to update your account, requesting personal information or demanding payment
- Email a sensitive document
- Threaten to bring in local police, immigration officers or other law enforcement to have you arrested for not paying. The IRS also cannot revoke your driver’s license, business licenses or immigration status.
- Threaten legal action, such as a lawsuit
What should you do to protect your information?
Here are a few things you can do to protect your information:
- Always be skeptical of the intention of an email or phone call. If you are suspicious about a message purporting it’s from the IRS, call them through the phone number on their website.
- Don’t use hyperlinks. If you want to get to a site, go directly to the source’s main web page.
- Don’t open any attachments. They may have malicious code that will infect your computer.
- Check to make sure your passwords are strong and unique for each of your accounts.
- Don’t use a public, guest, free or unsecure WIFI network when conducting financial business.
- Be careful what you post online, especially with social media. Personal information can be gathered and used to file a fake tax refund request in your name.
If you get a phishing email through a personal email account, forward it as an attachment to email@example.com and then delete it. If you get one through your wisc.edu email, report it using the “Report Phish” feature in your Office 365 email (here’s how), or email it as an attachment to firstname.lastname@example.org. If you get a vishing call, fill out this form at the U.S. Treasury Inspector General for Tax Information website.