Tax season is miserable for many because it means having to cut a check to the IRS. But it’s not just Uncle Sam who’s interested in your money. Scammers are also looking to get paid, and they’ll do it by stealing personal information. Employees tasked with preparing tax forms, like human resources (HR) professionals, are prime targets of scams. Using various forms of subterfuge, scammers convince HR to hand over private information about an employee, which they’ll then use to file false tax refund claims. The surge in tax scams has prompted the IRS to issue multiple alerts and host National Tax Security Awareness Week last December to educate the public about tax-related cybercriminal activity.
What’s the scam?
Scammers impersonate people whom the victim is likely to trust, like a well-known service provider (e.g., FedEx) or a person with a legitimate need for access to sensitive information (e.g., an IRS agent). This is known as “spoofing.” Sometimes a “spoofed” email tries to get the recipient to open an attachment containing a virus or click on a link to a malicious site (which might look legitimate). A specific type of spoofing attack known as “phishing” aims to convince the victim to divulge personal or financial information. For example, a phisher posing as an employee might email the HR department for a copy of his W-2 form. Even more targeted is a “spear phishing” attack aimed at a specific individual. The IRS has warned of spear phishing schemes involving emails to an HR professional sent from the spoofed email address of a C-suite executive. The email will ask the HR professional to send a tax form or to provide information about an employee supposedly for a tax filing. Once the scammer has the information, he or she will file a tax refund under the employee’s name.
Protective measures
The best way to avoid being a victim of a phishing attack is to raise awareness. Employees should be regularly trained to practice the following defensive measures:
- Be suspicious of all email requests for confidential information, even if they come from high-level personnel within the company. Tell-tale signs are spelling or grammatical errors or language that the sender doesn’t typically use.
- Confirm requests for confidential information by calling the requester.
- Avoid sending confidential information electronically. Hand deliver the information or send it by mail to a verified address.
- If confidential information has to be transmitted electronically, encrypt it before sending.
- Never send confidential information by hitting the “reply” button. If an email is spoofed, the reply email will go to the imposter. Instead, compose a new email and manually type in the email addresses of the recipient.
- Apply extreme caution when opening attachments. Never open an attachment with the .exe extension. Note that an attachment might be altered to look like an ordinary word processing document, spreadsheet, or PDF. When in doubt, send your IT department a screenshot of the email and consult with them on what to do next.
Responding to a security breach
In the unfortunate event that a company falls victim to a phishing attack, it should immediately gather facts about the incident including the number of employees involved, where the affected employees are located, what information was stolen, and whether the stolen information has been put to use. Consult with a lawyer to determine next steps. In Hawaii (as in many states), a business is legally obligated to provide notice to victims of a security breach. Experienced counsel can navigate the company through data breach notification laws and advise on liability and remedial measures to take.