It’s almost tax filing season, and scammers are seeking people’s information to file taxes in their name and receive their returns. According to the 2019 Internet Security Threat Report, malicious emails and other forms of phishing are dangers, especially to employees of small organizations, with 48 percent of malicious email attachments coming from downloadable Office files. TruWest Credit Union security engineer Chris Sprague has some tips on how to keep your identity safe from criminals and avoid becoming a victim of a tax scam as you prepare for National Tax Day on April 15.
AZ Big Media: What is the most common way that criminals get people’s information? Is there any new tax scam that has come to the forefront due to new technology?
Chris Sprague: Scammers are lazy. They use methods that are tried and true, which always are very effective, and that is social engineering. Phishing is a form of social engineering and so are these phone calls. They are very effective, especially for people that aren’t technologically savvy. Folks get kind of flustered and they see an email that looks official. It is trivially easy to capture the IRS signage and such off of the IRS web page and create emails that look really official. It’s incredibly easy to just do screenshots, capture the logos, create a realistic-looking email and get people to click on links and provide login information, and then they’ve got you.
Additionally, there are constantly breaches that happen across the internet where folks’ usernames and passwords are collected, and the bad guys then use that information to try and log in to various sites with the credentials that they have. So if a person is using the same password across multiple sites, that gives the bad guys that much more success when they go trying to see what they can get into. So I think it’s a combination of old, tried-and-true social engineering that is phone calls and emails, together with breach information collected from various breaches that happen constantly.
ABM: What are your top 5 tips for people so they do not become victims of tax scams?
File early and with a trusted internet connection
CS: File your taxes as early as possible. The more time that the bad guys are able to steal your identity and file taxes as you, or the longer that you wait to file, the more opportunity that gives them to file as you. I would also absolutely never do my taxes over an insecure wireless connection. So plan to do that at your house, ideally over wired connection. But definitely, if you’re going to connect to wifi, connect to a trusted wireless network.
Create strong password phrases
CS: There will be passwords involved with every account that you create. When you are filing your taxes, make sure you are creating strong passwords. These days we are advising folks to use “passphrases.” So instead of the uppercase and lowercase letters, digits, plus some characters, we’re saying to just create a very long passphrase. It’s okay if it’s all letters. Just make it a sentence that you will remember and that is extremely long. If you can add spaces, then that’s good, but if it’s just one big jumbled phrase without spaces, then that’s good, too. But using a very strong password for those sites is very much advised.
Use multi-factor authentication to avoid tax scam
CS: Use multi-factor authentication for your account as well. That just means that you enter a username and password, and then you’re prompted to receive a text that you need to enter in, a one time code from that text to finish the authentication process. Or, if you’re using tools like Google authenticator, it’s a pretty popular one that is constantly generating new codes. We strongly advise anyone to use multi-factor authentication for any of their sensitive accounts, especially their financial accounts.
Be informed about the IRS
CS: The IRS will only reach out to you via mail. Good, old-fashioned “snail mail” is the only way that you should expect to hear from the IRS. If somebody calls claiming to be from the IRS, hang up on them. They do not make personal phone calls out to people. Same thing with email. They’re not going to reach out via email, and more than likely it’s a phishing scam if you’re receiving an email from the IRS. Also, if you go searching for information online, the IRS is always at irs.gov. So if you see any other site, irs.com or irs.net, that is not the official IRS site.
Check out the IRS’ new PIN program
CS: One thing that I actually just learned about, is that the IRS just this year implemented a PIN program, an identity protection pin that you can use to further secure your tax returns. If you go to the IRS site, you can set up this new PIN. Setting up the PIN requires you to verify quite a lot of information about yourself, to prove you are who you say you are, before obtaining this PIN that you can then use to secure your tax return with the IRS. So the combination of all those things will leave you in pretty good shape.
ABM: What advice do you give to someone who finds themself a victim of one of a tax scam?
CS: Check out the IRS web page, taxpayer guide to identity theft. There are ways for you to fill out IRS forms stating that you are a victim of identity theft, so they have record of that, and that essentially starts the process of getting your information back in your hands, to stop the bad guys.
