Almost every new season arrives fraught with its own unique phishing scams. Around Thanksgiving and Christmas, hackers take advantage of rushed shoppers and an increase of traffic to online marketplaces to trick users into clicking on fake links or visiting unsecured sites. During the summer, it’s vacation packages and killer plane tickets that con us into giving up our credit card data. Whatever the season, hackers have an acute ability to determine what we’re occupied with, and then to tailor intricate scams to hook us. Well, now it’s tax season, and you bet that scammers are coming up with some brilliant ways to reel us in for an IRS scam.
Scam Phone Calls
Ah–one of the oldest tricks in the book. Many individuals have reported receiving phone calls supposedly from the IRS, stating that taxes have been filed improperly, and threatening the taxpayer if they don’t take immediate action. This IRS scam utilizes the classic trick of urgency—telling the recipient that something bad will happen to them if they don’t follow through immediately. This trick works especially well with phone calls, as recipients have less time to consider what they’re being told before they act on it.
Thankfully, there’s something obvious here to clue you into the fact that it’s a scam—the IRS doesn’t call taxpayers on the phone. Their business is done exclusively via snail mail, never by phone or even email. So, if you receive a mysterious phone call from someone claiming to be from the IRS, rest assured that you can safely hang up. And remember—regardless of what company or agency might claim to be calling you, never give up personal data over the phone. This goes for banks, wireless providers, or even IT help desks. Always verify the information you’re being given through an external source before you act.
Unsurprisingly, it doesn’t stop at phone calls. According to recent reporting by CBS, taxpayers have also been receiving emails from senders claiming to be IRS-affiliated debt collection agencies. These emails warn recipients that the tax refunds they received were incorrect, and must be returned to a “local refund account” immediately. Unusually, this form of IRS scam uses a phishing email directly steals the recipient’s money, rather than more circuitously gathering bank account data or Social Security Numbers. But like most phishing emails—and like the phone scam—it demands immediate action and even threatens legal repercussions otherwise. The scam also flashes a wealth of personal information about the recipient, making it look more legitimate.
Unfortunately, this is not the only email hack making the rounds. Another common one requests W2 information, and then uses that information to steal the identity of the victim. According to Forbes, this scam typically targets HR or payroll departments, and spoofs or hacks into the email account of a high-level executive “requesting” the information. Any phishing email that sends from (or even appears to send from) a company email address is automatically much more effective and difficult to spot. The trusted email address makes the recipient much more receptive to the information or action items presented in the email than they likely would be otherwise. Your boss emailing you asking for an employee’s W2 information would raise a lot fewer red flags than some unknown sender from the IRS. And that’s part of what makes phishing emails in general increasingly scary–as hackers get more sophisticated, their emails begin to lose those classic phishing email “tells.” Which means that we just have to be on even greater alert.
Whether it’s tax-related phishing emails or any other scam, one principle stands firm over and above all the rest: better safe than sorry. Releasing personal information on the phone or via email is like playing a loaded game of Russian Roulette. Once or twice, you could get lucky. Maybe that email requesting a W2 form really is from your boss. But the odds are absolutely not in your favor–and if you’re wrong? Bang. But lucky for you, there’s a simple solution, which is just not to spin the chambers at all. While the other tip-offs might begin to fail as phishing scams improve, playing it safe never will. In fact, it’s the only surefire way not to get scammed, and it works every time. If you get a phone call, say that you’d like to independently verify the information you’re being given, and hang up the phone. If you get an email, delete it—regardless of how legitimate it looks. Instead, pick up the phone and call your supervisor, your tax accountant, or even the IRS, to confirm.
If you do receive an IRS-related phishing email, you can notify the IRS at firstname.lastname@example.org(include the phishing email header in the body, with subject line “W2 Scam”). And don’t forget to maintain a strong annual training plan to keep yourself—-and your workforce—up-to-date with current phishing scams and solutions. Contact us to find out how you can integrate seasonal and industry-specific threats into a cohesive, effective program. And don’t forget: better safe than sorry especially with an IRS scam.
What Can You Do?
GLS knows that your employees’ cybersecurity awareness should not stop when they leave the office at the end of a workday. The principles they learn as part of their training at work should be extended to protecting personal data so that good habits are practiced 24×7 to reinforce positive behaviors and prevent phishing attempts.
As part of our Human Firewall 2.0 program, Global Learning Systems offers courses for prevention of online scams in: