March 05, 2019, 10:00 AM
WASHINGTON — Kicking off the annual “Dirty Dozen” list of tax scams, the Internal Revenue Service today warned taxpayers of the ongoing threat of internet phishing scams that lead to tax-related fraud and identity theft.
The IRS warns taxpayers, businesses and tax professionals to be alert for a continuing surge of fake emails, text messages, websites and social media attempts to steal personal information. These attacks tend to increase during tax season and remain a major danger of identity theft.
To help protect taxpayers against these and other threats, the IRS highlights one scam on 12 consecutive week days to help raise awareness. Phishing schemes are the first of the 2019 “Dirty Dozen” scams.
“Taxpayers should be on constant guard for these phishing schemes, which can be tricky and cleverly disguised to look like it’s the IRS,” said IRS Commissioner Chuck Rettig. “Watch out for emails and other scams posing as the IRS, promising a big refund or personally threatening people. Don’t open attachments and click on links in emails. Don’t fall victim to phishing or other common scams.”
The IRS also urges taxpayers to learn how to protect themselves by reviewing safety tips prepared by the Security Summit, a collaborative effort between the IRS, state revenue departments and the private-sector tax community.
“Taking some basic security steps and being cautious can help protect people and their sensitive tax and financial data,” Rettig said.
New variations on phishing schemes
The IRS continues to see a steady stream of new and evolving phishing schemes as criminals work to victimize taxpayers throughout the year. Whether through legitimate-looking emails with fake, but convincing website landing pages, or social media approaches, perhaps using a shortened URL, the end goal is the same for these con artists: stealing personal information.
In one variation, taxpayers are victimized by a creative scheme that involves their own bank account. After stealing personal data and filing fraudulent tax returns, criminals use taxpayers' bank accounts to direct deposit tax refunds. Thieves then use various tactics to reclaim the refund from the taxpayer, including falsely claiming to be from a collection agency or the IRS. The IRS encourages taxpayers to review some basic tips if they see an unexpected deposit in their bank account.
Schemes aimed at tax pros, payroll offices, human resources personnel
The IRS has also seen more advanced phishing schemes targeting the personal or financial information available in the files of tax professionals, payroll professionals, human resources personnel, schools and organizations such as Form W-2 information. These targeted scams are known as business email compromise (BEC) or business email spoofing (BES) scams.
Depending on the variation of the scam (and there are several), criminals will pose as:
- a business asking the recipient to pay a fake invoice
- as an employee seeking to re-route a direct deposit
- or as someone the taxpayer trusts or recognizes, such as an executive, to initiate a wire transfer.
The IRS warned of the direct deposit variation of the BEC/BES scam in December 2018, and continues to receive reports of direct deposit scams reported to email@example.com. The Direct Deposit and other BEC/BES variations should be forwarded to the Internet Crime Complaint Center (IC3). The IRS requests that Form W-2 scams be reported to: firstname.lastname@example.org (Subject: W-2 Scam).
Criminals may use the email credentials from a successful phishing attack, known as an email account compromise, to send phishing emails to the victim’s email contacts. Tax preparers should be wary of unsolicited email from personal or business contacts especially the more commonly observed scams, like new client solicitations.
Malicious emails and websites can infect a taxpayer’s computer with malware without the user knowing it. The malware downloads in the background, giving the criminal access to the device, enabling them to access any sensitive files or even track keyboard strokes, exposing login victim’s information.
For those participating in these schemes, such activity can lead to significant penalties and possible criminal prosecution. Both the Treasury Inspector General for Tax Administration (TIGTA), which handles scams involving IRS impersonation, and the IRS Criminal Investigation Division work closely with the Department of Justice to shut down scams and prosecute the criminals behind them.
Tax professional alert
Numerous data breaches across the country mean the tax preparation community must be on high alert to unusual activity, particularly during the tax filing season. Criminals increasingly target tax professionals, deploying various types of phishing emails in an attempt to access client data. Thieves may use this data to impersonate taxpayers and file fraudulent tax returns for refunds.
As part of the Security Summit initiative, the IRS has joined with representatives of the software industry, tax preparation firms, payroll and tax financial product processors and state tax administrators to combat identity theft refund fraud to protect the nation's taxpayers.
The Security Summit partners encourage tax practitioners to be wary of communicating solely by email with potential or existing clients, especially if unusual requests are made. Data breach thefts have given thieves millions of identity data points including names, addresses, Social Security numbers and email addresses. If in doubt, tax practitioners should call to confirm a client’s identity.
Reporting phishing attempts
If a taxpayer receives an unsolicited email or social media attempt that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS), they should report it by sending it to email@example.com. Learn more by going to the Report Phishing and Online Scams page on IRS.gov.
Tax professionals who receive unsolicited and suspicious emails that appear to be from the IRS and/or are tax-related (like those related to the e-Services program) also should report it to: firstname.lastname@example.org.
The IRS generally does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.
February 04, 2019, 8:17 PM
Changes in banking technology make managing your refund safer and easier than ever
Here are a few tips to ensure that your refund arrives as quickly and safely as possible as well as some ideas on how to get the most out of your money when it does.
The Refund Process
Once you have submitted your federal taxes and know you have a refund coming to you, the fastest way to get your tax refund is to have it electronically deposited into your financial account through the IRS’s Direct Deposit Program. It’s free to consumers, and it allows you to deposit your refund into as many as three separate accounts.
While you can still receive your refund in the form of a paper check, there are several advantages to direct deposit. Not only is it faster, direct deposit is also more secure. Refund checks sent through the mail can be lost, stolen, or returned to the IRS, if undeliverable. If you don’t already have a bank account, this might be the perfect time to open one.
Another option is to have your refund deposited onto a prepaid card. If you use a prepaid card, read the fine print and make sure you know how to deposit money onto the card and any fees involved. Cards differ in the types of deposits allowed, the process for receiving government deposits, and the fees charged for certain transactions. If you set up a new prepaid card account for your refund, you may be required to provide information to validate your identity, such as your Social Security number and date of birth.
Whichever method you choose, you can track the status of your federal tax return from the time the IRS received it by visiting https://sa.www4.irs.gov/and filling out the appropriate information, or by downloading the mobile app IRS2GO at https://www.irs.gov/newsroom/irs2goapp.
For more information on tax refunds, visit https://www.irs.gov/refunds.
Protect Your Money from Tax Scams
If your personally identifiable information (PII), such as your name, address, and Social Security number, has been stolen, the information can be used to open credit cards and loans or file a fraudulent tax return in your name, allowing the thief to claim your refund. If you suspect that your information was stolen, contact the IRS by calling 800-908-4490 or visiting the IRS website for identity protection at https://www.irs.gov/identity-theft-fraud-scams.
Be wary of phone calls and emails from anyone claiming to be from the IRS. Identity thieves have been known to pose as IRS agents, providing a fake name and IRS badge number and even creating a fake phone number that appears on caller ID as coming from the IRS. These thieves often threaten people with audits, deportation, and other legal action or promise checks for unclaimed funds.
The IRS typically does not initiate emails to individuals asking for personal information. Before acting on any phone call or email purportedly from the IRS, call the agency at 800-829-1040. An agent will be able to verify whether the IRS is in fact trying to get in touch with you. If you are certain the contact was part of a scam, report it to the Treasury Inspector General for Tax Administration by calling 800-366-4484. You can also report unsolicited emails by forwarding it to mailto:phishing@IRS.gov.
Some people use tax preparers to assist them with preparing their tax return. While most tax preparers are recognized professionals who can be very helpful, some preparers are scammers. Be wary of tax preparers who advertise with fliers or posters promising large refunds or special inside knowledge of little known tax credits and rebates or those volunteering to come to your home to prepare your taxes. These scammers make money stealing your personal information for later use and collecting fees. If you aren’t sure, ask for the tax preparer’s PTIN, which is the IRS tax preparer identification number that all legitimate preparers must have. Also, ask the preparer for references.
For more information on protecting your tax refund, visit: https://www.irs.gov/newsroom/tax-scams-consumer-alerts and https://www.fdic.gov/consumers/assistance/protection/idtheft.html.
What to Do With Your Refund
Once you have received your refund, you need to decide what to do with it. Many people use tax refunds to make large purchases they might not have the cash for at other times of the year. It can also provide a great opportunity to start a new savings option, contribute to your emergency fund, or reduce outstanding debt.
The IRS allows you to divide your federal tax refund into two or three additional financial accounts. By splitting your refund, you have a convenient option for managing your money – sending some of your refund to an account for immediate use and setting some aside for savings. For example, you could have part of your refund deposited to your checking account and the remainder sent to your Individual Retirement Account, or you might use some of your refund to purchase U.S. Series I Savings Bonds. (For more information on purchasing Savings Bonds with your tax refund, visit https://www.treasurydirect.gov)
You may also want to consider using your refund to start or augment emergency savings. Having emergency savings provides peace of mind when something unexpected occurs, such as a major car or home repair. The amount to set aside for your emergency fund will depend on factors such as your monthly expenses and the number of people in your household, but the general rule of thumb is to save at least three to six months’ worth of expenses.
If you are carrying a credit card balance, think about using your tax refund to pay it down or even pay it off. To get the most from your money, it may make sense to pay off a credit card with a high interest rate, compounding against you month after month. Going this route allows you to have more money every month once that credit card payment vanishes from your list of bills, and it can help build your credit as you reduce that debt.
Making extra payments on your mortgage may be another way to use your refund, saving you money over the long term. Since so much of your mortgage payment goes toward paying interest, using your tax refund to make an extra payment or two against the principal will go a long way to reducing the debt and overall cost of the loan.
If you are getting a tax refund this year, remember to take steps to keep your refund safe, know the refund options available to you, and consider different ways to make your money work harder for you.
January 23, 2019, 9:18 AM
Your devices make it easy to connect to the world around you, but they can also pack a lot of info about you and your friends and family, such as your contacts, photos, videos, location and health and financial data. Follow these tips to manage your privacy in an always-on world.
- Secure your devices: Use strong passwords, passcodes or touch ID features to lock your devices. These security measures can help protect your information if your devices are lost or stolen and keep prying eyes out.
- Think before you app: Information about you, such as the games you like to play, your contacts list, where you shop and your location, has value – just like money. Be thoughtful about who gets that information and how it’s collected through apps.
- Now you see me, now you don’t: Some stores and other locations look for devices with WiFi or Bluetooth turned on to track your movements while you are within range. Disable WiFi and Bluetooth when not in use.
- Get savvy about WiFi hotspots: Public wireless networks and hotspots are not secure, which means that anyone could potentially see what you are doing on your mobile device while you are connected. Limit what you do on public WiFi, and avoid logging in to key accounts like email and financial services on these networks. Consider using a virtual private network (VPN) or a personal/mobile hotspot if you need a more secure connection on the go.
Keep A Clean Machine
Source: Stay Safe Online
- Keep your mobile phone and apps up to date: Your mobile devices are just as vulnerable as your PC or laptop. Having the most up-to-date security software, web browser, operating system and apps is the best defense against viruses, malware and other online threats.
- Delete when done: Many of us download apps for specific purposes, such as planning a vacation, and no longer need them afterwards, or we may have previously downloaded apps that are no longer useful or interesting to us. It’s a good security practice to delete all apps you no longer use.
December 18, 2018, 11:30 AM
The Internal Revenue Service and its Security Summit partners today warned tax professionals of an uptick in phishing emails targeting them that involve payroll direct deposit and wire transfer scams.
These business email compromise/business email spoofing (BEC/BES) tactics generally target all types of industry and employers. Recently the IRS received a number of reports from tax preparers that they, too, are being targeted.
The IRS and the Summit partners, consisting of state revenue departments and tax community partners, are concerned these scams – as well as the Form W-2 scam -- could increase as the 2019 tax season approaches.
These emails generally impersonate a company employee, often an executive, and are sent to payroll or human resources personnel. The email from the "employee" asks the payroll or human resource staff to change his or her direct deposit for payroll purposes. The "employee" provides a new bank account and routing number, but it is actually controlled by the thief. This scam is usually discovered pretty quickly, but not before the victim has lost one or two payroll deposits.
In another version of the BEC/BES scam, the emails impersonate a company executive and are sent to the company employee responsible for wire transfers. The email requests that a wire transfer be made to a specific account that is controlled by the thief. Companies that fall victim to this scam can lose tens of thousands of dollars.
A common theme in these and many other email scams is that they include grammatical and spelling mistakes.
All businesses should be alert to these BEC/BES scams that take many forms such as fake invoice payments, title escrow payments, wire transfers or other schemes that result in a quick payoff for the thief. Businesses should consider policy changes to guard against such losses.
One version the IRS and Summit partners have highligted in recent years is the W-2 scam. This involves an email impersonating an executive or person in authority, which requests a list of the organization's Forms W-2 covering all of its employees. The purpose of this scam is to allow thieves to quickly file fraudulent tax returns for refunds. All employers, in both the public and private sectors, should be on guard against this and other dangerous scams.
BEC/BES email examples
Here are examples of emails that have been reported by tax professionals to the IRS in recent days. These emails have been edited by the IRS:
Sent: Monday, December 10, 2018 [REMOVED]
Subject: (no subject)
I changed my bank and I will like my paycheck DD details changed. Do you think this change be effective for the next pay date?
Sent from my iPhone
The wire transfer scam is similar:
-------- Original message --------
Date: 12/10/18 [REMOVED]
Subject: ACH Payment Attention
Please confirm the receipt of my message, Authorized can you handle domestic transfer payment now?
Sent from my iPhone
Where to send the BEC/BES emails
General non-tax related BEC/BES email scams should be forwarded to Internal Crime Complaint Center (IC3), which is monitored by the Federal Bureau of Investigation. The public can file a complaint about email scams or other internet-related scams by going to www.ic3.gov.
Tax professionals and others should also report tax-related phishing emails to email@example.com. This account is monitored by IRS cybersecurity professionals. This reporting process also enables the IRS and Security Summit partners to identify trends and issue warnings.
Because of the dangers to tax administration posed by the Form W-2 scam, the IRS set up a reporting process for employers. Employers who fall victim to the W-2 scam should report it at firstname.lastname@example.org. There is a process employers can follow at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers. Employers who receive the W-2 scam email but do not fall victim should forward the email to email@example.com.
December 03, 2018, 3:54 PM
Older consumers who report losing money to fraud are reporting a disturbing trend: Scammers claiming to be a loved one in trouble are getting people 70 and over to send thousands of dollars in cash.
In the second Consumer Protection Data Spotlight, the Federal Trade Commission examined complaints about family and friend imposter scams. These scammers often call seniors claiming to be a grandchild. The FTC is seeing an increase in the number of people ages 70 and over who say they sent cash in response to this particular scam – one in four said they mailed cash in 2018, compared to one in fourteen the prior year. In about half of these types of complaints, the scammer said they were in jail or some other legal trouble and in need of money to get out of trouble.
All age groups reported losing more money over the last 12 months to family and friend imposter scams – a total of $41 million, compared to $26 million the previous year. The most striking concern is individual losses by older Americans. The median loss for this scam was $2,000, but when seniors ages 70 and over said they put cash in the mail, their median loss was $9,000.
The FTC urges those who might get such a call to not act right away. Instead, the FTC recommends calling the family member or friend using a known number, or checking out the request with someone else in their family or a mutual friend.
Source: Federal Trade Commission
December 03, 2018, 3:51 PM
Is identity theft just a problem for people who submit information online?
You can be a victim of identity theft even if you never use a computer. Malicious people may be able to obtain personal information (such as credit card numbers, phone numbers, account numbers, and addresses) by stealing your wallet, overhearing a phone conversation, rummaging through your trash (a practice known as dumpster diving), or picking up a receipt at a restaurant that has your account number on it. If a thief has enough information, he or she may be able to impersonate you to purchase items, open new accounts, or apply for loans.
The internet has made it easier for thieves to obtain personal and financial data. Most companies and other institutions store information about their clients in databases; if a thief can access that database, he or she can obtain information about many people at once rather than focus on one person at a time. The internet has also made it easier for thieves to sell or trade the information, making it more difficult for law enforcement to identify and apprehend the criminals.
How are victims of online identity theft chosen?
Identity theft is usually a crime of opportunity, so you may be victimized simply because your information is available. Thieves may target customers of certain companies for a variety of reasons; for example, a company database is easily accessible, the demographics of the customers are appealing, or there is a market for specific information. If your information is stored in a database that is compromised, you may become a victim of identity theft.
Are there ways to avoid being a victim?
Unfortunately, there is no way to guarantee that you will not be a victim of online identity theft. However, there are ways to minimize your risk:
- Do business with reputable companies – Before providing any personal or financial information, make sure that you are interacting with a reputable, established company. Some attackers may try to trick you by creating malicious web sites that appear to be legitimate, so you should verify the legitimacy before supplying any information. (See Avoiding Social Engineering and Phishing Attacks and Understanding Web Site Certificates for more information.)
- Take advantage of security features – Passwords and other security features add layers of protection if used appropriately. (See Choosing and Protecting Passwords and Supplementing Passwords for more information.)
- Check privacy policies – Take precautions when providing information, and make sure to check published privacy policies to see how a company will use or distribute your information. (See Protecting Your Privacy and How Anonymous Are You? for more information.) Many companies allow customers to request that their information not be shared with other companies; you should be able to locate the details in your account literature or by contacting the company directly.
- Be careful what information you publicize – Attackers may be able to piece together information from a variety of sources. Avoid posting personal data in public forums. (See Guidelines for Publishing Information Online for more information.)
- Use and maintain anti-virus software and a firewall – Protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable by using anti-virus software and a firewall. (See Understanding Anti-Virus Software and Understanding Firewalls for more information.) Make sure to keep your virus definitions up to date.
- Be aware of your account activity – Pay attention to your statements, and check your credit report yearly. You are entitled to a free copy of your credit report from each of the main credit reporting companies once every twelve months. (See AnnualCreditReport.com for more information.)
How do you know if your identity has been stolen?
Companies have different policies for notifying customers when they discover that someone has accessed a customer database. However, you should be aware of changes in your normal account activity. The following are examples of changes that could indicate that someone has accessed your information:
- unusual or unexplainable charges on your bills
- phone calls or bills for accounts, products, or services that you do not have
- failure to receive regular bills or mail
- new, strange accounts appearing on your credit report
- unexpected denial of your credit card
What can you do if you suspect or know that your identity has been stolen?
Recovering from identity theft can be a long, stressful, and potentially costly process. Many credit card companies have adopted policies that try to minimize the amount of money you are liable for, but the implications can extend beyond your existing accounts. To minimize the extent of the damage, take action as soon as possible:
- Start by visiting IdentityTheft.gov – This is a trusted, one-stop resource to help you report and recover from identity theft. Information provided here includes checklists, sample letters, and links to other resources.
- Possible next steps in the process – You may need to contact credit reporting agencies or companies where you have accounts, file police or other official reports, and consider other information that may have been compromised.
Other sites that offer information and guidance for recovering from identity theft are:
Source: United States Computer Emergency Readiness Team