Why Hackers Love Tax Season (And What You Can Do About It)
During tax season, personal information is being exchanged at a much higher rate than any other time of year. Documents like W2s with Social Security numbers on them are just par for the course. It’s also a time of year when employers and employees engage in tax-related tasks that aren’t routine to them. There’s often a bit of chaos getting everything in order and even a bit of anxiety over doing it right.
For hackers and scammers who rely on human error and deception, all of this combines to create ideal conditions. I was recently on WTNH’s Good Morning Connecticut alongside Michelle Seagull, Commissioner of the CT Department of Consumer Protection talking about tax hacks and scams targeting companies in Connecticut. Commissioner Seagull and I were also guests on the MetroHartford Alliance’s “Pulse of the Region” radio show with Brian Newman from CohnReznick discussing this same topic.During the segment, I mentioned that last year around this time, an employee at the Groton School District received what appeared to be an email from her boss asking for the W2 forms of all employees. She complied, unknowingly sending the personal information of 1,300 people to a hacker.
The hacker then filed fraudulent tax returns netting some $37,000. He was ultimately caught and will be prosecuted, but this story is all too common. During tax season, companies and individuals fall prey to scams like this frequently but we don’t hear about them because they aren’t public employees. Typically, the hackers get away with it.
Taxes Are Confusing. It’s No Wonder People Get Tricked.
The Groton School District story is a reminder that most hacks these days aren’t “brute force” attacks in which hackers gain access purely through technological means. They almost always tricking individuals into giving up data. This is all the more true during tax season when people are already sharing their data with accountants, financial planners, and the IRS.
The most common tactic is phishing, which is highly sophisticated these days. A hacker may gain access to an email account at your company and observe the schedule and writing style of the messages, then send an email asking for tax info at the right time and tone for it to be believable.
There are many ways to pull off phishing attacks, so the one crucial rule to remember during tax season is not to email any sensitive information to anyone. Your accountant or comptroller should have a secure system for transferring documents online.
What Can Companies Do?
Here are a few key practices that are a good idea year round, but especially prudent during tax season.
- Cybersecurity training – Regular employee training is an important part of any comprehensive cybersecurity strategy. Why not take an opportunity during the late winter or spring to do a tax-themed training session? Doing so will strengthen the biggest weakness in your cyber defenses (your employees) at your most vulnerable time of year.
- Make sure patches are up to date – As we saw with WannaCry, failure to properly patch can be devastating. Making sure your patches are up-to-date before beginning to prepare your taxes helps ensure that anyone who has gained access to your system and may be watching your activity gets booted from your system before you start poring over sensitive data.
- Add-ons to SPAM filter – Microsoft Office 365 has an add-on that filters all links clicked by employees using their work email and makes sure that they are legitimate sites. With such sophisticated and realistic-looking phishing sites out there, this helps stop anything that made it through the SPAM filter. Another useful tool is Cisco Umbrella which checks all websites addressed on the company network to make sure they are real.
- Encrypted email – Adding email encryption to your company’s email platform is a very effective way to ensure that hackers never gain access to sensitive data through email. If it sounds difficult to use, it’s not—users would never know it’s there and it can be set up and managed by an IT partner.
- Question the format of communications – In our Pulse of the Region appearance, Brian Newman mentioned that the IRS only communicates via US Mail—never by phone or email. Similarly, it can’t hurt to double check in person or by phone with someone in your organization asking for W2s or other info.
Below is the full transcript of my appearance on WTNH with Commissioner Seagull. For more of this discussion, listen to our Pulse of the Region appearance with Brian Newman from CohnReznick.
Laura Hutchinson: Hi everyone! Welcome back. Tax season is stressful enough without the worry of potential hackers trying to steal your information. So, today we have Michelle Seagull, Commissioner of the Connecticut Department of Consumer Protection and Matt Kozloski, VP of Professional Services at Kelser Corporation to talk about how you can protect yourself. So, happy you both are here. It really is a very vulnerable time of year. People are plugging their information in while using public Wi-Fi or meeting with people they've never met before and handing over information. So, let's talk about the top ways that people have their identity stolen.
Comm Seagull: I’ll talk a bit about some of the warning signs. It really is all year round you want to be cautious about identity theft, but tax season is a time in particular to be conscious of this. Everybody's preparing their taxes and so maybe a bit more casual about sending people sensitive information over the phone or through email. The big tip for us is always be certain that you know who you're dealing with. So, somebody called you out of the blue claiming to be an accountant or claiming to be with the IRS or somehow asking you for either personal information or to send money in a way that can't be tracked--that's really a huge red flag. You're going to want to hang up, verify who they are, and then send information in a secure way.
Matt: You really shouldn't be emailing information either. So, phishing attacks like we had last year in Connecticut. There was a hacker, Ojo, the Department of Justice prosecuted him. That hacker created almost 100 falsified 1040s and it was almost half a million dollars in refund claims he was going after. It's real. Phishing attacks is probably the most common thing we see where people are tricked through email or phone like that into giving up personal information.
Laura: So, how do you know when you're handing someone information over that it's a reputable source? What kind of steps do people need to take to ensure that they're protected?
Comm. Seagull: The most important thing is if you didn't initiate the contact you should always be suspicious. Sometimes it may be an email coming from somebody you know and recognize, your colleague asking you, “Hey! Can you send over the tax ID information? The Social Security numbers for our employees?” But that person's email may have been hacked. So, you're not going to want to send it by email at all, that should make you suspicious right there. Also, don't respond right away. Get on the telephone and call the person. Make sure they really asked for it. Always be certain to call using contact information you're sure is correct to verify that the person who reached out to you is who they truly said they are.
Laura: OK and I think one thing that's important to note too is you're not going to know right away if your information was stolen. So, this is almost kind of a reminder to always check your information. How do you go about doing that knowing that you weren't hacked yourself?
Matt: Well, that can be really tricky. I mean there's a lot of different monitoring services for credit and things along those lines which can give you alerts if people are doing things on your behalf. This was a popular scam - last year, people would get a phishing email saying, “Check here to see if your Social Security number has been compromised.” They get that as an email and they're like, “Oh that's great. Let me go check it. Perfect. This is wonderful.” And now they're entering their social security number and personal information into a website thinking they're checking it against a known database. So, don't do that kind of stuff. That's an example of a trick.
Laura: Right. Make sure that you're contacting somewhere; you're not responding to anyone that's contacting you.
Comm. Seagull: Absolutely. You can get free credit reports once a year from each of the credit reporting agencies. So, that's a good way to see, “Has somebody opened an account in my name?” There’s suddenly a new credit card I never opened up but that's showed up. Then, of course, always look at your credit card statements, your bank statements--are there any charges there that don't look familiar? Sometimes it may even just be a small charge, so, it won't necessarily show up on your radar screen but that could be a sign somebody has your number, and it's aimed at making sure it's working.
Laura: All right Michelle, Matt thank you so much for the great advice. Making sure people stay safe keeping their identity protected this year. Thank you so much.