Taxpayers shrug off ID fraud warnings even as attacks rise

Pity the IRS. It’s been strenuously warning us about increased tax fraud all month. A big chunk of taxpayers have responded by yawning.

The IRS saw a huge spike in phishing and malware attacks during the 2016 tax season, which came on top of a 400% increase in phishing and malware in 2015. And earlier in the month, the US tax agency sent out an urgent warning about a new type of tax fraud taco: CEO spearphishing fraud stuffed with W-2 tax form scamming and a dollop of wire fraud on top.

But according to the second annual Tax Season Risk Report from ID theft protection firm CyberScout, a recent survey shows that the public’s not using the security practices we need to protect ourselves from identity theft.

Highlights from the report:

58% of people in the US don’t worry about tax fraud. They should! In November, the IRS said that it had stopped 787,000 confirmed ID theft returns in 2016, totaling more than $4 billion in potential fraud.

Only a minority – 35% – of respondents demand MFA. Multifactor authentication (MFA), or two-factor authentication (2FA), is a good stumbling block for identity thieves. But the majority of respondents said that they’re not requiring that their tax preparers use it, instead leaving the preparers to use a single password to protect clients’ personal information. To read more about the hows and whys of 2FA, check out our Power of Two post.

Only 18% of respondents use an encrypted USB drive. Instead, people are saving important documents like tax worksheets, W-2s, 1099s or 1040s in unencrypted form, while another 38% either store tax documents on their computer’s hard drive or in the cloud, leaving them vulnerable to attack.

More than half – 57% – of consumers file late, giving tax fraudsters time to impersonate them online and steal their refunds.

We’re not locking our mailboxes. 51% of taxpayers who expect a refund check in the mail don’t use a locked mailbox, leaving their checks at risk of theft.

Half of taxpayers don’t know how to evaluate a tax preparer. They’ll choose someone online, or they’ll fail to screen them beforehand, leaving themselves vulnerable to getting ripped off.

Only 48% of taxpayers use online tax services. That’s because 24% of respondents say they don’t trust them. That’s bad, according to the report, which says that it’s a “misperception” to think that online tax services can result in exposure of sensitive information.

I have a bone to pick with that point. History has shown that putting your faith in online tax services doesn’t guarantee information security.

In 2015, Intuit, the makers of the popular TurboTax app, stopped the e-filing of all state tax returns due to a surge in fraudulent filings. The freeze came after several states saw a deluge of phony filings and hence refused to accept the returns. It took five days to clean up the mess before Intuit recommenced state filings.

Utah’s state tax commission had discovered 28 fraud attempts that “originated from data compromised through a third-party commercial tax preparation software process,” as well as 8,000 returns flagged as potentially fraudulent. Eighteen other states saw the same thing.

Intuit wasn’t initially implicated in the leak. At any rate, besides the unspecified third-party commercial tax prep software processes, there are plenty of data leaking sources: data breaches, for one, which are sadly common nowadays.

How to slam the tax scams

  • File online directly with the IRS.
  • File early! You can avert your gaze from that pile of forms and receipts, but the scammers won’t be procrastinating. The more you wait, the more time you’re giving them to file a bogus return and snatch your refund. CyberScout says that that 57% of people plan to file later than February or don’t know when they’ll file.
  • Pick proper passwords. Even though strong passwords don’t help if you’re phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.
  • Don’t reuse passwords. It’s bad enough when crooks get into one of our accounts. It’s multiple times worse when they can take our reused passwords to get into all our accounts. Limit the damage by using one strong, unique password per account. Use a password manager if you can’t remember them all: that way, you only have to remember the one, strong password you need to get into the manager.
  • Never authenticate yourself to anyone who contacts you online or by phone. Say a nice man “from the IRS” calls and asks for your Social Security number. Or, say, threatens you about some purported student tax that you didn’t pay. He says “Pay it now” or else he’ll call the police! …um, no. That’s not how the IRS contacts people: it’s a dead giveaway that Mr “I’m from the IRS” is trying to fleece you.
  • Use 2FA whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.
  • Have your refund directly deposited into your bank account, or slap a lock on your mailbox if you’re having it mailed.
  • Don’t give away your details on social media. It’s easy for hackers to figure out answers to security questions when you give away the answers online.

Also, because so many tax fraud attempts are coming through phishing attempts, you might want to consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.

Here are more tips to help you recognize, and steer clear of, phishing links.

To read up on the most current tax scams and cyber-attacks, check out this page from the IRS.