December 18, 2018, 11:30 AM
The Internal Revenue Service and its Security Summit partners today warned tax professionals of an uptick in phishing emails targeting them that involve payroll direct deposit and wire transfer scams.
These business email compromise/business email spoofing (BEC/BES) tactics generally target all types of industry and employers. Recently the IRS received a number of reports from tax preparers that they, too, are being targeted.
The IRS and the Summit partners, consisting of state revenue departments and tax community partners, are concerned these scams – as well as the Form W-2 scam -- could increase as the 2019 tax season approaches.
These emails generally impersonate a company employee, often an executive, and are sent to payroll or human resources personnel. The email from the "employee" asks the payroll or human resource staff to change his or her direct deposit for payroll purposes. The "employee" provides a new bank account and routing number, but it is actually controlled by the thief. This scam is usually discovered pretty quickly, but not before the victim has lost one or two payroll deposits.
In another version of the BEC/BES scam, the emails impersonate a company executive and are sent to the company employee responsible for wire transfers. The email requests that a wire transfer be made to a specific account that is controlled by the thief. Companies that fall victim to this scam can lose tens of thousands of dollars.
A common theme in these and many other email scams is that they include grammatical and spelling mistakes.
All businesses should be alert to these BEC/BES scams that take many forms such as fake invoice payments, title escrow payments, wire transfers or other schemes that result in a quick payoff for the thief. Businesses should consider policy changes to guard against such losses.
One version the IRS and Summit partners have highligted in recent years is the W-2 scam. This involves an email impersonating an executive or person in authority, which requests a list of the organization's Forms W-2 covering all of its employees. The purpose of this scam is to allow thieves to quickly file fraudulent tax returns for refunds. All employers, in both the public and private sectors, should be on guard against this and other dangerous scams.
BEC/BES email examples
Here are examples of emails that have been reported by tax professionals to the IRS in recent days. These emails have been edited by the IRS:
Sent: Monday, December 10, 2018 [REMOVED]
Subject: (no subject)
I changed my bank and I will like my paycheck DD details changed. Do you think this change be effective for the next pay date?
Sent from my iPhone
The wire transfer scam is similar:
-------- Original message --------
Date: 12/10/18 [REMOVED]
Subject: ACH Payment Attention
Please confirm the receipt of my message, Authorized can you handle domestic transfer payment now?
Sent from my iPhone
Where to send the BEC/BES emails
General non-tax related BEC/BES email scams should be forwarded to Internal Crime Complaint Center (IC3), which is monitored by the Federal Bureau of Investigation. The public can file a complaint about email scams or other internet-related scams by going to www.ic3.gov.
Tax professionals and others should also report tax-related phishing emails to email@example.com. This account is monitored by IRS cybersecurity professionals. This reporting process also enables the IRS and Security Summit partners to identify trends and issue warnings.
Because of the dangers to tax administration posed by the Form W-2 scam, the IRS set up a reporting process for employers. Employers who fall victim to the W-2 scam should report it at firstname.lastname@example.org. There is a process employers can follow at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers. Employers who receive the W-2 scam email but do not fall victim should forward the email to email@example.com.
December 03, 2018, 3:54 PM
Older consumers who report losing money to fraud are reporting a disturbing trend: Scammers claiming to be a loved one in trouble are getting people 70 and over to send thousands of dollars in cash.
In the second Consumer Protection Data Spotlight, the Federal Trade Commission examined complaints about family and friend imposter scams. These scammers often call seniors claiming to be a grandchild. The FTC is seeing an increase in the number of people ages 70 and over who say they sent cash in response to this particular scam – one in four said they mailed cash in 2018, compared to one in fourteen the prior year. In about half of these types of complaints, the scammer said they were in jail or some other legal trouble and in need of money to get out of trouble.
All age groups reported losing more money over the last 12 months to family and friend imposter scams – a total of $41 million, compared to $26 million the previous year. The most striking concern is individual losses by older Americans. The median loss for this scam was $2,000, but when seniors ages 70 and over said they put cash in the mail, their median loss was $9,000.
The FTC urges those who might get such a call to not act right away. Instead, the FTC recommends calling the family member or friend using a known number, or checking out the request with someone else in their family or a mutual friend.
Source: Federal Trade Commission
December 03, 2018, 3:51 PM
Is identity theft just a problem for people who submit information online?
You can be a victim of identity theft even if you never use a computer. Malicious people may be able to obtain personal information (such as credit card numbers, phone numbers, account numbers, and addresses) by stealing your wallet, overhearing a phone conversation, rummaging through your trash (a practice known as dumpster diving), or picking up a receipt at a restaurant that has your account number on it. If a thief has enough information, he or she may be able to impersonate you to purchase items, open new accounts, or apply for loans.
The internet has made it easier for thieves to obtain personal and financial data. Most companies and other institutions store information about their clients in databases; if a thief can access that database, he or she can obtain information about many people at once rather than focus on one person at a time. The internet has also made it easier for thieves to sell or trade the information, making it more difficult for law enforcement to identify and apprehend the criminals.
How are victims of online identity theft chosen?
Identity theft is usually a crime of opportunity, so you may be victimized simply because your information is available. Thieves may target customers of certain companies for a variety of reasons; for example, a company database is easily accessible, the demographics of the customers are appealing, or there is a market for specific information. If your information is stored in a database that is compromised, you may become a victim of identity theft.
Are there ways to avoid being a victim?
Unfortunately, there is no way to guarantee that you will not be a victim of online identity theft. However, there are ways to minimize your risk:
- Do business with reputable companies – Before providing any personal or financial information, make sure that you are interacting with a reputable, established company. Some attackers may try to trick you by creating malicious web sites that appear to be legitimate, so you should verify the legitimacy before supplying any information. (See Avoiding Social Engineering and Phishing Attacks and Understanding Web Site Certificates for more information.)
- Take advantage of security features – Passwords and other security features add layers of protection if used appropriately. (See Choosing and Protecting Passwords and Supplementing Passwords for more information.)
- Check privacy policies – Take precautions when providing information, and make sure to check published privacy policies to see how a company will use or distribute your information. (See Protecting Your Privacy and How Anonymous Are You? for more information.) Many companies allow customers to request that their information not be shared with other companies; you should be able to locate the details in your account literature or by contacting the company directly.
- Be careful what information you publicize – Attackers may be able to piece together information from a variety of sources. Avoid posting personal data in public forums. (See Guidelines for Publishing Information Online for more information.)
- Use and maintain anti-virus software and a firewall – Protect yourself against viruses and Trojan horses that may steal or modify the data on your own computer and leave you vulnerable by using anti-virus software and a firewall. (See Understanding Anti-Virus Software and Understanding Firewalls for more information.) Make sure to keep your virus definitions up to date.
- Be aware of your account activity – Pay attention to your statements, and check your credit report yearly. You are entitled to a free copy of your credit report from each of the main credit reporting companies once every twelve months. (See AnnualCreditReport.com for more information.)
How do you know if your identity has been stolen?
Companies have different policies for notifying customers when they discover that someone has accessed a customer database. However, you should be aware of changes in your normal account activity. The following are examples of changes that could indicate that someone has accessed your information:
- unusual or unexplainable charges on your bills
- phone calls or bills for accounts, products, or services that you do not have
- failure to receive regular bills or mail
- new, strange accounts appearing on your credit report
- unexpected denial of your credit card
What can you do if you suspect or know that your identity has been stolen?
Recovering from identity theft can be a long, stressful, and potentially costly process. Many credit card companies have adopted policies that try to minimize the amount of money you are liable for, but the implications can extend beyond your existing accounts. To minimize the extent of the damage, take action as soon as possible:
- Start by visiting IdentityTheft.gov – This is a trusted, one-stop resource to help you report and recover from identity theft. Information provided here includes checklists, sample letters, and links to other resources.
- Possible next steps in the process – You may need to contact credit reporting agencies or companies where you have accounts, file police or other official reports, and consider other information that may have been compromised.
Other sites that offer information and guidance for recovering from identity theft are:
Source: United States Computer Emergency Readiness Team
November 27, 2018, 11:22 AM
As your options for purchasing and banking online grow, so does the need to safeguard your security and privacy while using the internet on your mobile device. Online security protects you from fraudulent intrusion as well as the careless release of your sensitive data.
Sometimes, mobile security is as simple as a frequent review of your bank accounts to ensure that nothing unauthorized has occurred. But there are other things you can do to stay safe in an online environment.
Here are 10 online mobile security tips to help protect your money and your sensitive data.
1. Use strong passwords
A strong password is the first step in mobile security. This is something that can't be easily guessed by either another human or a computer program. The strongest password should have at least eight characters and include letters, numbers, and symbols. Make sure you are using different passwords for your various online accounts.
2. Avoid vulnerable numbers
It's never a good idea to use identifying numbers as part of your password, personal identification number (PIN), or user ID. This includes parts of your Social Security number, birth date, age, or those of loved ones. This is information that someone else could find and use to access your account.
3. Watch for strange emails
Your bank will never send you emails requesting that you send them back sensitive data such as your account information or login details. If you receive emails like this, you can call the bank to verify their legitimacy.
4. Be wary of email attachments
Avoid clicking on email attachments unless you are 100% sure that you know the sender of the message. Attachments can launch virus programs on your mobile device and compromise your sensitive information. Even if a message appears to come from a friend or familiar company, it's always better to use caution with attachments.
5. Watch your online sharing
The more information about yourself you disclose online, the more vulnerable you can become to fraud. Identity thieves are looking for accounts that have plenty of data, so it's a good idea to check your social network privacy settings and curtail your sharing.
6. Pause before you click
When shopping and banking online, you can avoid scams by only using sites that have strong security in place. Look for websites that have an "https" at the beginning instead of just "http." That extra "s" indicates that they have put extra security measures in place.
7. Secure your smartphone
If you shop, access mobile banking, and have any other sensitive data on your smartphone, keep it secure. You can do this by turning on the screen lock function of your phone. After a set period of inactivity, your screen will lock and the phone will ask for a passcode or your fingerprint to be used again.
8. Don't store sensitive data on your phone
Certain sensitive data should not be stored on a mobile device. This includes bank account numbers, PINs, Social Security numbers, and credit card numbers. If you use a mobile banking app, your bank will not display this data on the app.
9. Use caution with apps
10. Update your technology
Mobile devices run on an operating system (generally iOS or Android), and these systems often have security patches in each version. You should not only keep your operating system updated but also consider an additional mobile antivirus program.
City Bank Cares About Your Personal Information
By following these mobile security tips, you can help prevent your sensitive information from getting into the wrong hands. If you suspect that your banking data has been compromised, contact us immediately.
At City Bank, we take your privacy and security seriously. We use a layered approach to help protect your identity and financial accounts. If you have any concerns about mobile security, we're here to answer your questions.
November 20, 2018, 2:20 PM
The Internal Revenue Service and Security Summit partners today warned the public of a surge of fraudulent emails impersonating the IRS and using tax transcripts as bait to entice users to open documents containing malware.
The scam is especially problematic for businesses whose employees might open the malware because this malware can spread throughout the network and potentially take months to successfully remove.
This well-known malware, known as Emotet, generally poses as specific banks and financial institutions in its effort to trick people into opening infected documents. The Summit partnership of the IRS, state tax agencies and the nation’s tax industry remind taxpayers to watch out for this scam.
However, in the past few weeks, the scam masqueraded as the IRS, pretending to be from “IRS Online.” The scam email carries an attachment labeled “Tax Account Transcript” or something similar, and the subject line uses some variation of the phrase “tax transcript.”
These clues can change with each version of the malware. Scores of these malicious Emotet emails were forwarded to firstname.lastname@example.org recently.
The IRS reminds taxpayers it does not send unsolicited emails to the public, nor would it email a sensitive document such as a tax transcript, which is a summary of a tax return. The IRS urges taxpayers not to open the email or the attachment. If using a personal computer, delete or forward the scam email to email@example.com. If you see these using an employer’s computer, notify the company’s technology professionals.
The United States Computer Emergency Readiness Team (US-CERT) issued a warning in July about earlier versions of the Emotet in Alert (TA18-201A) Emotet Malware.
US-CERT has labeled the Emotet Malware “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”
November 20, 2018, 2:18 PM
As the holidays approach, NCCIC reminds users to be aware of seasonal scams and malware campaigns. Users should be cautious of unsolicited emails that contain malicious links or attachments with malware, advertisements infected with malware, and requests for donations from fraudulent charitable organizations, which could result in security breaches, identify theft, or financial loss.
NCCIC recommends the following actions:
If you believe you are a victim of a scam or malware campaign, consider the following actions: