The Internal Revenue Service (IRS) is warning consumers of a “surge” in email fraud schemes this tax filing season.
Scammers send out emails that look to be official IRS correspondence, hoping to infect victims with malicious attachments or collect personal information that could be used for identity theft and financial gain.
In an IRS press release, the agency noted that the number of reported phishing and malware schemes had increased fourfold from 254 reports in January 2015 to 1026 in January 2016.
Similarly, from February 1 to 16, 2016, 363 incidents were reported, compared to 201 for the full month of February 2015.
In aggregate, the 1,389 reported incidents for the first one and a half months of 2016 have already bested the 1,361 incidents for all of 2014.
It doesn’t take a very sophisticated attack for scammers to make a lot of money off of a stolen identity. A “60 Minutes” investigation found that all an attacker needs to file a tax return — claiming refunds on the victim’s behalf — is a social security number and date of birth.
“I could wake up in the comfort of my own home, and just get on a laptop, do about 15 returns a day,” one scammer told “60 Minutes.” “Fifteen times $3,000 a return, that’s $45,000 a day.”
‘A cat-and-mouse game’
As the IRS implements new security measures, attackers develop new schemes to overcome them. The new requirement for taxpayers to provide a driver’s licence number for some state filings could easily prompt attackers to develop new phishing emails to trick victims into providing the number, or else to seek out as hacking targets other locations where that information might be stored.
“There’s a cat-and-mouse game,” says Chris Hadnagy, CEO and founder of Social-Engineer, Inc., a company which he describes as security penetration testing for humans rather than computers.
While he is quick to note that the IRS is making an effort by requiring more information of taxpayers, Hadnagy doesn’t see a solution in increased authentication alone: he stresses education and awareness.
“The question of ‘Is there a technical fix?’ There’s not. […] There’s no plugin, there’s no attachment, there’s no little box you can stick on your network and — bam — you’re safe from phishing.”
‘Phishing scams work amazingly well’
Victims have to be aware of an always-evolving landscape of threats: Sophisticated attackers combine false text messages and phone calls and even make automated attacks on the IRS’ security measures. Meanwhile, Hadnagy says that many people aren’t even aware that scam emails impersonating the IRS or Paypal exist at all.
But the IRS’ user-base is the entire taxpaying public, making education more challenging than it might be for a business. As a result, scammers have been seeing large returns.
Simply put, phishing scams work “amazingly well,” Hadnagy says.
Vast sums of taxpayer money are being refunded to criminals by way of fraudulent returns made with stolen information. According to a GAO report citing the IRS’ own estimates, the IRS prevented or recovered the payment of $24.2 billion in fraudulent refunds in 2013, but paid $5.8 billion in what it determined were fraudulent returns.
As the prevalence of fraud attempts increases, the IRS’ ability to keep taxpayer money out of the hands of fraudsters seems to be weakening. Compared to $24.2 billion withheld from scammers in 2013, the IRS stopped only $8.7 billion across 1.4 million “confirmed identity theft returns” in 2015.
(The large discrepancy may come in part as a result of more conservative calculations on the part of the IRS — the GAO report criticised assumptions made in the IRS’ cost-estimation process.)
Unfortunately, false tax returns are only one way scammers escalate phishing attacks into profit. Stolen credentials can easily be used to gain access to sensitive accounts, especially when passwords are reused.
A recent study using a fake online persona with Google credentials leaked to the dark web found that 94% of hackers who accessed the Google account found the “victim’s” other online accounts and tried to log into a false bank web portal set up for the experiment.
Hadnagy urges those who feel they may have given their information to scammers to change their passwords, especially for accounts sharing a compromised password, and not to forward on suspicious emails, even to ask for a second opinion: doing so only increases the chance of spreading the attack.
Additionally, those who receive phone calls supposedly from the IRS should look up their local IRS office and call that number to look into a suspicious call’s claims rather than calling back a number that may belong to a scammer. In severe cases, victims can call the major credit agencies to get a temporary freeze put on their credit score or even potentially be issued a new SSN.
“What it really boils down to,” says Hadnagy, “is critical thinking and taking the effort to be secure.”
Business Insider Emails & Alerts
Site highlights each day to your inbox.