It’s that time of year again! As we all work hard to ensure our taxes are in order, cybercriminals are looking to claim their own returns. Fund members should stay up to date on this season’s scams and take steps to protect their organizations and their employees.
Offer in Compromise
Offer in Compromise (OIC) is a legitimate IRS program that allows taxpayers to settle their tax debt for less than the full amount they owe. The program was created for people who couldn’t pay their full tax debt or who would suffer financial hardship if they did. Scammers are leveraging the program to take advantage of those who need it most.
In these attacks, the scammer calls and says they represent a broker or agent of a company that facilitates OIC agreements. They claim their company can give the victim a better deal than the IRS by settling their tax debt for “pennies on the dollar.” The scammer then asks for sensitive personal information like Social Security numbers and routing numbers so they can deposit refunds.
Remember that only the IRS can authorize an OIC agreement. Any outside company or “agent” offering this service is likely up to no good. If you’re interested in the OIC program, use the IRS’ OIC pre-qualifier tool so you trust that you’re tapping into the official government resource.
The IRS warns that scammers are calling intended victims and impersonating government agents. In some cases, the caller claims the IRS discovered criminal activity associated with the victim’s tax return. They say an agent is on the way to arrest the victim unless they immediately pay a fine.
In other attacks, the caller claims to be an agent reviewing the victim’s account and requests clarification of personal details to process the victim’s tax return.
Bottom line – The IRS will never call citizens to threaten them or ask for personal and financial information over the phone. Hang up immediately.
W2 phishing scams
The most prevalent W2 phishing scam often begins with a seemingly innocent email asking “hi, are you working today?” These emails are almost always directed at the HR or finance office and are normally altered to appear to come from a high-ranking employee, such as a CFO, superintendent, or principal.
Once the employee responds, the scammer asks for the entire organization’s W2 information. They will likely put pressure on the recipient by insisting the request is highly time sensitive. If the targeted employee provides the tax information, the district will likely receive an additional request for a routed payment to a phony tax service.
The hacker can use the information to file fraudulent tax returns or even sell sensitive data such as Social Security numbers, names, addresses, income, and withholdings on the dark web.
Case study – Manatee ISD Florida
In February 2017, Manatee ISD in Florida suffered a W2 phishing attack. An email, purportedly from the superintendent, arrived in HR and finance department employee inboxes. The email contained a strongly worded, time-sensitive request for every district employee’s W2 information. Representatives from both departments responded to the request.
As a result, sensitive information for all 7,500 district employees fell into hackers’ hands. The impacted employees filed a $300,000 dollar class action lawsuit, and the district had to purchase an $80,000 policy for two years of identity theft monitoring. One of the employees was formally reprimanded for negligence. The other was removed from their department and demoted.
So, what could Manatee ISD employees have done to prevent the attack?
Here are some tips from the IRS and FBI that can help you protect your district and employees from this ongoing scam:
- Train your employees on how to identify fraudulent or spoofed emails.
- Limit who has access to W2s and other staff and student sensitive data.
- Institute a two-person authentication process for all outbound, sensitive-data requests.
- Ask your information technology team to make sure your data loss prevention policies are configured in your email security system.
- Flag email from outside your network with a header that identifies it as external.
Any organization that suspects it has been the target of a tax season cyber scam should notify the IRS at email@example.com or firstname.lastname@example.org. The better the authorities understand the threat, the better advice and assistance they can provide.
Expert help from the Fund
The Fund provides Privacy and Information Security coverage to members with Liability coverage. In addition to notifying the IRS, Fund members that suspect they have been the target of cybercrime should call us immediately at 855.295.8344 to report a claim. Members that have questions about cybersecurity education or consultation are welcome to contact Privacy and Cyber Risk Consultant Lucas Anderson at email@example.com or 512.505.2893.
Editor's note: This article was originally published in February 2020. It has since been updated for accuracy and comprehensiveness.