Well, we all know what tomorrow is . . . it is April 17th, and ‘tis the time to file your tax return. Yes, its not a time favored at all by most Americans, as we have to cough up money to Uncle Sam that we don’t want to. Or if you’re lucky, maybe you will be receiving a substantial refund, or even just a small amount like me (only got about $60.00 from IL – and even that took 6 weeks of waiting).
The majority of tax filers will probably be efiling their returns, or still sending them in by snail mail. But whatever the method, this is also the prime season for the Cyber attacker. They are always targeting us tax payers trying to get our Social Security numbers so that they can get our refund. In fact last year, in 2017, tax fraud netted a staggering amount of $445 Billion.
But just as much as the Cyber attacker has been targeting us, they now have a new target: The tax professional that does the return for you. So far, the IRS has reported that collectively, they have had about 75 tax professionals report that they have been a victim of a Cyber attacker. In fact, this a 60% increase from last year, which is a dramatic rise.
One way that the IRS can detect this kind of fraud is if the individual is filing too many tax returns – this is obviously a huge red flag to them. But too many is also a very qualitative term to use, as the tax professional could have literally hundreds of clients that they are servicing at a given point in time. But, if a Cyber attacker is successful enough to hack a tax professional, they can also get access to all of those Social Security numbers of their clients, their tax data, and the IP address(es) of the tax professional.
With the latter information in hand, the Cyber attacker can then file these hundreds of tax returns with the IRS, and claim all of those refunds and get them covertly wired to their bank accounts in just a matter of days, when of course, it will be too late to retrieve those stolen funds.
But believe it or not, in order to carry out this kind of attack, doesn’t need any sophisticated tools or technology. Rather, they rely upon the tried and true technique of using Phishing E-Mails in order to bait in the tax professional. Very often, these kinds of E-Mails contain an attachment (these types are primarily those of the .DOC and .XLS kind – it is not often that you will see .PPT file extension being used).
Once the tax professional has clicked onto this link – well, to put it bluntly, are at the total mercy of the Cyber attacker. At this point, they can collect all of the private information and data that they want to, and even all of the login information, such as the username/password combination, PIN Numbers, etc. In fact, the IRS has even labelled even this year’s tax filing season as the “Perfect Storm” for the Cyber attacker, given the confusion caused by the passage of the latest Tax Reform Bill.
According to them: “This is kind of a perfect storm where you have a lot of misinformation, a dearth of information, and these new techniques that are being widely used by these criminals looking for compromised computers belonging to tax prep professionals . . .” (SOURCE: https://www.cnbc.com/2018/04/14/cybercriminals-now-targeting-tax-pros-to-cash-in-on-fraudulent-returns.html).
Also according to the IRS, the information and the data that is hijacked by the Cyber attacker is then sold onto what is known as the “Dark Web” (we will cover this in a future blog posting). But as mentioned, locating these Cyber attackers is made easier now given the advancements in security technology, but bringing them to justice is another thing: Many of them are overseas.
So how can all of this be avoided? It just comes to down to basically trusting your gut, and knowing what to look for in a Phishing E-Mail. In other words, if it doesn’t look right, then just simply delete. It’s that simple. But, let me take this one step further. True, there is no such thing as being 100% immune to the clutches of the Cyber attacker, but the tax professional has a fiduciary responsibility to their clients to make sure that they are taking all of the proactive steps necessary in which to secure our private information and data.
This means not only ensuring that their computers are up to date with the latest anti malware software, but also that they receive periodic training in the techniques of Social Engineering, and knowing what to look out for. Also, if they outsource any of their accounting functions to a third party, they also need to make sure that they are reasonably up to snuff on their security protocols as well.
But, we the clients also have a responsibility as well: If ever in doubt, always ask your tax professional about the security protocols that they have in place. After all, it is your Social Security number that is at stake here.