Security innovation hasn’t been enough to stop tax payments fraud

With personal and financial data frequently being compromised in large-scale breaches, identity thieves looking to file a false tax return have more information at their disposal than ever before, raising security risk for the tax payment industry and consumers.

There have been great steps forward by the IRS and others to reduce the amount of identity theft and false tax refunds filed during tax season, but there were still almost 250,000 victims of tax fraud in 2017. In fact, the Treasury Inspector General for the Tax Administration noted in its interim report from February 2018 that the IRS reportedly identified 9,557 tax returns with approximately $46 million claimed in fraudulent refunds. The fact that many people rely on their tax returns, which can be delayed for up to eight months due to fraud, is just the tip of the iceberg in terms of the impacts of tax-related identity theft.

Tax-related identity theft can be especially worrisome, not only for the monetary consequences it carries, but tax documents often contain highly sensitive information, like Social Security numbers, so it’s no wonder that, according to our recent Cyber Barometer, 91% of Americans said they consider an attack on their identity as “very stressful.”

Andrew Harrer/Bloomberg

Every year the IRS compiles a list of common tax-related scams called the Dirty Dozen — while some of the names on this yearly list fluctuate based on new security protocols or changes in IRS regulations, identity theft and well-known scams that can result in identity theft, like phishing emails and phone scams, are some of the usual suspects.

For example, some thieves are infiltrating the systems of tax preparers to secure legitimate W2s so they can craft better fake tax returns.

Phishing is another common method used by identity thieves. The IRS reported a 60% surge in phishing and malware related incidents during the 2018 tax season. The most pervasive form of phishing attacks is email phishing — an email that not only looks legitimate but often appears to come from a legitimate sender as well.

Vishing, or what the IRS calls voice phishing, is another popular scam. Vishing is when an identity thief poses as an agent of a legitimate organization, like the IRS, and calls asking for, or in some cases demanding, personal and financial information. These often come in the form of calls threatening criminal prosecution or other penalties concerning late or missing payments; ultimately, they’re designed to instill fear and encourage an emotional response rather than a rational one.

Another attack is the Collection Scam, which usually involves an unknown or blocked phone number calling a potential victim from someone claiming to be an IRS “official” or “collection agent.” The would-be scammer usually asks for some personal information and account credentials for “verification” purposes with some going as far as demanding immediate repayment on the “outstanding” debt via wire transfer or prepaid debit cards.