Tax fraud schemes in 2022 netted scammers $5.7 billion, more than twice the amount of the previous year, according to the Internal Revenue Service, and there doesn’t appear to be any letup in sight.
While scams may be on the rise, the good news is that the core tactics used by fraudsters remain basically unchanged, which means that by understanding the signs of tax fraud and taking measures to counter it, consumers and businesses can avoid becoming victims during tax season.
“Threat actors regularly capitalize on tax season,” observed Selena Larson, a senior threat intelligence analyst with Proofpoint, an enterprise security company in Sunnyvale, Calif.
“They know a large segment of the population will be dealing with the stress and urgency of filing their taxes correctly and on time,” she told TechNewsWorld. “It is these pressures which make people more susceptible to a tax-themed email offering support or a warning when it’s actually a vessel for fraud.”
“And as tax season directly deals with finances, there is an open window for a bigger payday,” she said.
Larson added that threat actors are getting more adept at employing social engineering to prey on people’s fears, emotions, and urgency during tax season.
“They will leverage the IRS brand and spoof government sites, purporting to be a tax authority either communicating some legitimate piece of needed information — such as a change to a form or a process — or attempting to collect a payment,” she explained.
Data Breach Fueled Growth
Larson advised consumers and businesses also to be aware of phony “tax preparation services.” These types of attacks usually go beyond simple authentication credentials, such as usernames and passwords, she noted, and attempt to steal personal information, including social security numbers and bank account information.
“Most tax professionals offer excellent advice and can help people navigate complex tax issues,” IRS Commissioner Danny Werfel said in a statement. “But we continue to see instances where taxpayers are ‘ghosted’ by unscrupulous tax preparers with bad advice who quickly disappear.”
The sheer amount of personal information circulating on the internet from numerous data breaches has also contributed to the growth of tax fraud.
“There’s a lot of information on the internet that can be used in tax fraud schemes,” observed Abigail Showman, senior team lead with Washington, D.C.-based Flashpoint, a provider of threat intelligence, threat analysis, and incident response services, which recently released a report on tax fraud.
“A lot of threat actors can collect that information and utilize it pretty easily in tax fraud schemes,” she told TechNewsWorld.
“Every year, more sensitive information about people is lost in data breaches and through other means,” explained Erich Kron, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“This allows attackers to have a huge list of people to target, many of whom they have very detailed information about,” he told TechNewsWorld. “This helps these bad actors make more convincing social engineering emails and other communications.”
Threat actors will recycle information, too, noted Showman’s colleague, Tactical Threat Monitoring Analyst Rebecca McHale. “They might apply for unemployment benefits, then turn around and use that personal identifying information for other schemes, including tax fraud,” she told TechNewsWorld.
“They want to get the most bang for the buck from the compromised PII they hijack and steal for malicious purposes,” she said.
In its report on tax fraud, Flashpoint identified several ways fraudsters try to pry information or money out of their targets, including:
- Phishing. A tried-and-true technique that uses email to get a target to go to a malicious website or to share information on their W-2 form.
- Refund scams. A fraudster will contact a victim and offer to get them a larger-than-expected refund. After the target gives the scammer all the information needed to file a tax return, the trickster will file the return and have the refund sent to himself.
- Filing for false tax credits. When a fraudster files a return for a victim, they’ll include claims for credits for which the target is ineligible.
“We’ve seen a lot of student tax credits being filed that way,” McHale said. “That would include the Lifetime Learning credit and the American Opportunity tax credit.”
“Students are usually first-time filers and don’t have great identity protection set up yet, like their identity protection PIN and adjusted gross income,” she explained.
Amy Nofziger, director of fraud victim support at the AARP, noted that the organization’s Fraud Watch Network Helpline continues to receive calls about IRS Imposter scams.
“You will receive a phone call or text saying there is an issue with your tax refund, and you will be arrested,” she told TechNewsWorld. “The scammers will then demand immediate payment, usually by pre-paid gift cards or another non-traditional form of payment like cryptocurrency.”
Education Is Imperative
Spear phishing is prevalent during tax season, observed Dror Liwer, co-founder of Coro, a cloud-based cybersecurity company based in Tel Aviv, Israel. “An attacker impersonates an employee or a vendor, sometimes, even the accounting firm the company is using, asking for data or tax documents which they then use either for identity theft or hold for ransom,” he told TechNewsWorld.
“Beyond deploying anti-phishing defenses, accounting departments must be retrained in identifying and reporting phishing attempts,” he recommended.
“Simulation ahead of time will highlight which employees need additional training,” he added. Education can be an important weapon in the battle against tax fraud. “It helps potential victims to recognize these scams and stay safe,” Jon Clay, vice president of threat intelligence at Trend Micro, told TechNewsWorld.
“Educate your employees on how phishing works,” he advised. “Ensure they are suspicious of any communications that involve tax returns and financial transactions and have a process for employees to submit suspicious content to IT for review.”
He also recommended deploying an email messaging security solution that utilizes machine learning and AI to detect spam and phishing emails.
Fraud fighters, however, won’t be the only ones using AI to advance their aims.
“We’ve seen anecdotal chatter about exploiting artificial intelligence to facilitate fraud, but this tax season, it hasn’t been widespread,” McHale said. “While we haven’t seen it for this tax season, stay tuned. It’s something we’ll be keeping an eye on during the next tax season.”