As tax season rolls upon us yet again, businesses are increasingly becoming the target of scammers thanks to the massive amounts of sensitive data they hold, the increasingly sophistication of scammers and their cons, and their ability to impersonate those in the ‘tax filing supply chain’, who may be tricked into making tax payments on behalf of your organization.
This trend isn’t anything new, but it is getting worse. In 2016, criminals claimed $224 million USD in fraudulent tax refunds; in 2017, that number jumped to $961 million, a more than four-fold increase. Further, from October 2013 to February 2017, more than 10,000 victims of phone scams were identified, paying a collective total of $54 million to fraudsters.
The clear potential for profits provides plenty of motivation for cybercriminals to take advantage of the huge task that businesses face when filing taxes. During this busy season, the IRS and FTC urging businesses to be on guard on the lookout for the following tax-related scams:
- The Classic: A Phone Call. This age-old scam involves a fraudster posing as an IRS official who calls to inform the accounting department/CFO that they are at risk of going to jail or having their business suspended over money owed to the IRS unless they transfer money immediately. Fraudsters are able to spoof IRS toll-free numbers so it may even appear that the caller is, in fact, calling from the IRS.
- The Money-Maker: False Returns. Because of the likelihood of larger payouts, fraudsters are also turning their sights to filing false corporate returns. In 2017, approximately 10,000 business-related tax returns were flagged as being potentially fraudulent, a significant increase from two years before when the IRS found just 350.
- The Executive: Business Email Compromise (BEC). Phishing comes in as many forms as fish in the sea, but a clever twist involves cybercriminals posing as C-level executives in order to trick the payroll departments of large corporations (think Snapchat and Seagate Technology) into releasing copies of their employees’ W-2 forms. The information they glean from this BEC scam is then used to file false tax returns or is sold on the Dark Web to the highest bidder.
- The Redirect: Fraudulent Links. In addition to BEC scams attempting to access employee data, phishing emails impersonating the IRS are becoming more sophisticated and accurate. They use social engineering to trick employees in the accounting and tax departments into clicking on fraudulent links that either lead to fake IRS sites designed to steal information, or to sites that infect users’ systems with malware. As you can see from the samples below, the design of the pages is lifted directly from the authentic IRS site, making it difficult to distinguish without close scrutiny of the URL.
For Every Action There Is a Fraudster Reaction
Despite a surfeit of tax scams out there this season, there are steps that organizations can take to limit their exposure:
- File early. You can’t file twice, so be sure your tax return is the first one to hit the IRS’ inbox. Fraudsters can’t collect when they can’t file on your behalf.
- Limit access. Allow only a limited number of people to handle all of your tax filings and contact with the IRS. Moreover, make sure those people receive training in spotting fraudulent queries and imposter IRS websites.
- Educate staff and stakeholders. Make sure that all interested parties are taught how to spot suspicious emails and to never open attachments or follow links in unsolicited emails. Finance, accounting, and tax teams are always higher-risk targets, given their proximity and access to funds, and so investment in additional security training and controls for these employees is usually worth the cost.
- Implement a proactive anti-fraud strategy. Solutions that actively prevent attacks from being carried out are the most effective way to shield your organization from all types of fraud, including tax scams.
To learn more about how to protect your organization from business email compromise and other sophisticated attacks, take a look at this short video.