Calculator

The arrival of tax season often conjures dread for individuals and business owners as they begin hunting down paperwork and receipts, filling out forms, and praying they don’t end up owing the government. While this scenario is playing out, cybercriminals are excitedly awaiting tax season as yet another opportunity to part people with their hard-earned money. Though we are used to watching things more closely during the holidays such as charges to our credit cards, people often fail to realize that tax time is another seasonal threat we all face.

The Threat is Real

With our ever-growing reliance on technology, more and more people are filing their tax returns online. According to RiskIQ’s 2019 Tax Season Threat Roundup, the United States Internal Revenue Service (IRS) is expecting more than nine out of 10 returns to be prepared electronically this year.  While filing electronically using software such as TurboTax and H&R Block online makes filing taxes simple for individuals and businesses, it also makes it easier for bad actors to do their dirty work.

Phishing, Spoofing, and Infringement

Phishing is a cyberattack where a disguised email is used to trick you into thinking you’re getting a legitimate message or offer such as a request from the IRS. This is what really sets phishing apart: the cybercriminal sending it will masquerade as a trusted entity or a plausibly real person. The email might ask you to download something or click on a link. Don’t do it as this can open you up to a hack.

Spoofing is when a hacker disguises communication such as an email, phone call, or website by pretending to be from a legitimate source. Not only can criminals spoof the aforementioned communications, but they can spoof an IP address and domain names. Spoofing is used to gain access to a target’s personal information and/or spread malware through infected links or attachments. Spoofing is also used to bypass network access controls and reroute traffic to malicious sites. A successful spoofing attack can affect computer systems and networks, lead to data breaches and/or loss of revenue, and leave your business with a bad reputation.

Domain infringement is another type of spoofing danger that is especially troubling during tax season. A website’s domain name, or URL, is the internet address identifying the website. Bad actors will often use a website’s domain name and change just one letter or number hoping that someone accidentally types in the wrong URL. For example, rather than typing in turbotax.com you might type terbotax.com. That small error in spelling as you type could take you to a site that looks exactly like TurboTax but is actually a malicious site where you can become victimized.

The Digital Shell Game

Criminals can take advantage of tax season in numerous ways. For starters, they may use phishing pages, domain infringement, and/or fake mobile apps to mimic popular e-filing systems and software such as the aforementioned TurboTax and H&R Block online. Savvy cybercriminals can create a page that looks incredibly similar and realistic to real tax software sites to capture your information. They can wreak havoc on a site by invading it to steal information. To date, 30 percent of mobile tax filing apps are blacklisted as fraudulent, according to the RiskIQ report mentioned above.

Because these apps and free software are found outside the protection of your home or business firewalls, consumers are more easily fooled into downloading malware or being enticed into using compromised sites. Simply being off one character in a web address can lead to real trouble as cybercriminals often create fake sites that have addresses close to legitimate e-filing sites. As Americans “file” their taxes, many consumers are unwittingly sharing their most sensitive information from their social security number and date of birth to their bank routing number with hackers waiting for an easy payday.

Mobile Apps

The RiskIQ report also shows that while most official mobile applications for filing taxes are very secure there is a sea of fake apps out there pretending to be legitimate online tax filing services. The goal of these apps to is to trick consumers into downloading them so the cybercriminal can then steal your sensitive data or infect your mobile device with malware or annoying adware.

So how can you tell if a mobile app is suspicious? First, look for a developer to be listed for the app and look at where it is being hosted. Stick to downloading mobile apps from reputable sources such as Apple or the Google Play Store, though even this isn’t full proof. Also, if an app seems more intrusive than necessary, be on high alert. For example, if an app requires too many permissions or those that have nothing to do with the functionality of the app such as permission to access the camera, record audio, change settings, or download data without notification that should be a huge red flag.

Other Means of Attack

Due to the fact that so many people are filing taxes online which utilizes the open internet, criminals are doing the same. End-users of tax filing software are often targeted in high-volume phishing and domain infringement attacks. Hackers love utilizing these methods for victimizing people because they are cheap and simple. In 2018, RiskIQ found 1,235 instances of phishing targeting online tax filers and 468 blacklisted URLs in its research.

Not only are cybercriminals using fake URLs but they can copy e-filing pages including those from the IRS. The fake page may request a treasure trove of information including name, occupation, employer, social security numbers, address, and the user's tax PIN. Be wary of pages, websites, or apps that ask for too much information.

Protect Yourself and Your Business

In a recent article by Forbes online, the IRS warned consumers of tax day scammers using phony emails and impersonating IRS staff with fake phone calls. The IRS and cybersecurity professionals such as those at ORAM Corporate Advisors offer tips for protecting yourself and your business this tax season while reducing the risk of being victimized. Before filing your taxes on any platform, ask yourself these questions:

  1. Who owns the app or site?
  2. Is the company that owns it reputable? Remember to do your homework about the company online.
  3. How long has the company been around?
  4. Did I ask to be sent here or was I rerouted? If you were rerouted, do not proceed.

Here are a few more tips for safer tax filing:

  • Download apps from official app stores including Apple or Google.
  • If an application asks for suspicious permissions such as access to your contacts, text messages, administrative settings, passwords, or credit card information, be leery.
  • When typing in a URL, ensure you have spelled the address properly. If you are redirected to a site you didn’t request, exit immediately.
  • If your device warns you that a site is not secure, leave the site immediately.
  • Before you download, look for the developer of an app. If it’s not a brand you recognize or it’s spelled differently, stop before you forge ahead. Google search for a developer to see if they are legitimate and have a positive reputation.
  • Though an app may have many downloads and rave reviews, it can still be fraudulent. A huge number of downloads may just mean many people were duped and reviews can be made up.
  • Poor grammar or spelling in the web address or description of an app is a warning signal. Stay away.
  • For any device on which you file your taxes, ensure it has an updated firewall, anti-virus software, and anti-spyware software all in place.
  • Use only a trusted, secure Wi-Fi network (never use public Wi-Fi for tax filing) or a Virtual Private Network (VPN).
  • Don’t save your tax return on your computer’s hard drive.
  • Beware of phony calls and emails from the IRS, your tax preparer, or your tax software provider (i.e. TurboTax). The IRS will never call you and emails could be a phishing attempt. Contact the IRS or your software provider directly by phone if you have any questions.
  • Use a unique password for your tax return. Don’t use a social security number, phone number, or other easy-to-crack passwords.

For more information on protecting yourself or your business during tax season, contact ORAM online or call (617­) 933-5060 now.