As we enter into tax season where you will be in contact with us, your CPA, and several other tax or financial organizations, we want to turn your attention to cyber security. Over the last several years, fraudulent returns have plagued the IRS and taxpayers alike. If you haven’t been affected, you likely have a friend or family member that has!
Consider the statistics below provided by the IRS, showing the number of identity theft incidents reported to, or discovered by the IRS:
2010 – 50,000 incidents
2011 – 100,000 incidents
2012 – 350,000 incidents
2013 – 770,000 incidents
2014 – 1.5 million
2015 – 3.2 million
To say this is an alarming trend doesn’t begin to do it justice! However, the good news is, that for the first ten months of 2016, the number of people filing identity theft affidavits with the IRS is down 40%, so at least the trend is being reversed! The IRS is taking further steps to continue combating the problem. These steps include: more stringent security regulations for tax software vendors; earlier recognition of suspicious returns and collaboration with the banking industry to halt the refund process; extradition of thieves from foreign countries; and stricter penalties for offenders in 2015 resulting in an average of three years of jail time.
Phishing and Social Engineering
While we certainly recommend them, no security system, content or spam filter, security patches, antivirus, or firewall can perfectly protect an individual or firm’s data. In fact, the most harmful data crimes today rely on social engineering to steal the information they need. Social engineering is the method of arranging a fraudulent communication such that it looks real: perhaps using your CPA’s or CFO’s name in a request for financial information. “Phishing”, the generic term for this type of fraudulent communication, means luring or tricking a victim into providing sensitive information. Being rooted in metaphor, the term lends itself well to embellishment and now “spear phishing” and “whaling” are both common terms, but we will let Wikipedia explain the nuances.
While the bait for these phishing attempts can be tempting, and seem legitimate, there are ways of separating truth from fiction. In email phishing, a good spam filter can go a long way in preventing thieves from hiding certain information in email and website addresses. Once that is done, you can tell by careful examination whether a link will take you to IRS.gov or IRS.gov.ADarkAlleyWhereYourComputerWillBeMugged.ru. If something seems suspicious, it probably is! If in doubt, take the old-fashioned approach and call the sender to verify they are indeed the sender. This thwarts the would-be “phisherman” who is electronically posing as your friend, boss, or vendor. The time spent making this call could save you or your company a great sum of money and frustration!
Another great resource to help combat social engineering is KnowBe4. The company was founded by a well-known Internet expert, and trains users to recognize and avoid being fooled by phishing schemes. Their commercial product includes online educational material and regular training programs for companies, AND they are happy to help you test your company for free. The results may be quite surprising.
Email & Phone Scams
Email is not a safe place to communicate sensitive information in any case. Just as you would not send a blank check through the mail without an envelope nor send your medical history on a postcard, please do not send sensitive financial information through email. The language computers use for email was not originally meant to be secure and while it can be encrypted, most email is sent in plain text, making messages easy to intercept.
Unfortunately, criminals deserve their reputation for ingenuity with phone calls, as well. For example, the IRS has given up calling to initiate communication because of the number of actual fraudulent calls. The IRS never uses texting, email, Facebook messages or threats of lawsuits or jail time to initiate communication with you. The IRS will always use regular mail to send notices or initiate contact with you. A healthy amount of skepticism is useful even in this situation, since imposters have even begun using this method to deceive the susceptible public. If you receive such a notice, be sure to share it with your CPA, tax preparer, or payroll provider.
Verification is Key
Finally, we have seen fraudulent emails purporting to be from CPAs, ADP (payroll vendor), and other providers inviting you to click a link and share sensitive information. If you were not expecting to hear from us (or one of these other providers), please call us or them to verify authenticity. Please check an authentic company or IRS website for the authentic phone number since fake numbers are often provided within the fake emails or letters in these cases.
The old adage says, “An ounce of prevention is worth a pound of cure.” It certainly applies in the high-tech world of today. Educate your users, verify authenticity, and be hyper-vigilant concerning communication of sensitive information. This small ongoing investment may save you or your company great sums of money, time, and frustration.
Special thanks to Brian Wozniak of the Portland IRS office for his OSCPA presentation providing some of the statistics included in this article.