It’s that time of year again! As we all work hard to ensure our taxes are in order, cybercriminals are looking to claim their own returns. Fund members should stay up to date on this season’s scams and take steps to protect their organizations and their employees.
2021 scams exposed
Cybercrime constantly evolves. Trending scams this tax season look to cash in on the financial stress many Americans feel because of the pandemic. Of course, criminals will lean on time-tested scams as long as they continue to pay dividends. That is the case with W2 phishing scams, which have delivered more than 1.5 million fraudulent tax returns and $2.3 billion in bogus refunds into criminals’ hands since 2017.
The IRS warns that scammers are calling intended victims and impersonating government agents. In some cases, the caller claims the IRS discovered criminal activity associated with the victim’s tax return. They say an agent is on the way to arrest the victim unless they immediately pay a fine.
In other attacks, the caller claims to be an agent reviewing the victim’s account and requests clarification of personal details to process the victim’s tax return.
Bottom line – The IRS will never call citizens to threaten them or ask for personal and financial information over the phone. Hang up immediately.
Economic Impact Payment/CARES Act
Scammers are leveraging the promise of federally funded financial support during the pandemic to gain access to victims’ personal information. They send phishing emails and cold call potential victims claiming to be government representatives who can help them secure Economic Impact Payments or Coronavirus Aid, Relief, and Economic Security Act (CARES) funds.
They then request Social Security numbers, dates of birth, and other sensitive data to process the payments. In many cases, the scammers use this information to file for CARES support themselves. These attacks have, unfortunately, targeted senior citizens.
W2 phishing scams
The most prevalent W2 phishing scam often begins with a seemingly innocent email asking “hi, are you working today?” These emails are almost always directed at the HR or finance office and are normally altered to appear to come from a high-ranking employee, such as a CFO, superintendent, or principal.
Once the employee responds, the scammer asks for the entire organization’s W2 information. They will likely put pressure on the recipient by insisting the request is highly time sensitive. If the targeted employee provides the tax information, the district will likely receive an additional request for a routed payment to a phony tax service.
The hacker can use the information to file fraudulent tax returns or even sell sensitive data such as Social Security numbers, names, addresses, income, and withholdings on the dark web.
Case study – Manatee ISD Florida
In February 2017, Manatee ISD in Florida suffered a W2 phishing attack. An email, purportedly from the superintendent, arrived in HR and finance department employee inboxes. The email contained a strongly worded, time-sensitive request for every district employee’s W2 information. Representatives from both departments responded to the request.
As a result, sensitive information for all 7,500 district employees fell into hackers’ hands. The impacted employees filed a $300,000 dollar class action lawsuit, and the district had to purchase an $80,000 policy for two years of identity theft monitoring. One of the employees was formally reprimanded for negligence. The other was removed from their department and demoted.
So, what could Manatee ISD employees have done to prevent the attack?
Here are some tips from the IRS and FBI that can help you protect your district and employees from this ongoing scam:
- Train your employees on how to identify fraudulent or spoofed emails.
- Limit who has access to W2s and other staff and student sensitive data.
- Institute a two-person authentication process for all outbound, sensitive-data requests.
- Ask your information technology team to make sure your data loss prevention policies are configured in your email security system.
- Flag email from outside your network with a header that identifies it as external.
Any organization that suspects it has been the target of a tax season cyber scam should notify the IRS at email@example.com or firstname.lastname@example.org. The better the authorities understand the threat, the better advice and assistance they can provide.
Expert help from the Fund
The Fund provides Privacy and Information Security coverage to members with Liability coverage. In addition to notifying the IRS, Fund members that suspect they have been the target of cybercrime should call us immediately at 855.295.8344 to report a claim. Members that have questions about cybersecurity education or consultation are welcome to contact Privacy and Cyber Risk Consultant Lucas Anderson at email@example.com or 512.505.2893.
Editor's note: This article was originally published in February 2020. It has since been updated for accuracy and comprehensiveness.