The 2015 tax season has ended, signaling a potential break in the number of tax-related data breaches we read about in the news. The list of companies suffering from these cyber-attacks seemed to grow weekly and nearly 100 companies have been publicly tied to W-2-related breaches in 2016. SurfWatch Labs collected a multitude of CyberFacts pertaining to W-2 and tax data breaches during the 2015 tax season.
The IRS, predictably, has the most CyberFacts related to tax and W-2 cybercrime in 2016. The IRS has suffered massive data breaches within the last year. In 2015, the IRS exposed 700,000 taxpayer accounts through its “Get Transcript” service. Last February, the IRS was breached again, with more than 100,000 stolen Social Security Numbers used to successfully access an E-file PIN. Events like these have lead to predictions that the IRS will lose $21 billion to cyber fraud and fake tax returns in 2016.
Surprisingly, the group Higher Education also received a lot of discussion, with the high profile W-2 data breach at the University of Virginia leading the way in terms is discussion.
IRS and FBI Release Warnings About Tax Fraud
In March, the IRS released an alert about tax fraud which described various methods used by criminals to obtain W-2 and tax information. The alert provided information on several areas individuals and organizations leave themselves vulnerable to compromise:
Abusive Return Preparer
“Taxpayers should be very careful when choosing a tax preparer. While most preparers provide excellent service to their clients, a few unscrupulous return preparers file false and fraudulent tax returns and ultimately defraud their clients. It is important to know that even if someone else prepares your return, you are ultimately responsible for all the information on the tax return.”
Abusive Tax Schemes
“Abusive tax scheme originally took the structure of fraudulent domestic and foreign trust arrangements. However, these schemes have evolved into sophisticated arrangements to give the appearance that taxpayers are not in control of their money. However, the taxpayers receive their funds through debit/credit cards or fictitious loans. These schemes often involve offshore banking and sometimes establish scam corporations or entities.”
“There have always been individuals who, for a variety of reasons, argue taxes are voluntary or illegal. The courts have repeatedly rejected their arguments as frivolous and routinely impose financial penalties for raising such frivolous arguments. Take the time to learn the truth about frivolous tax arguments.”
The FBI also released a warning in March related to the rise of Business Email Compromise (BEC) scams targeting businesses and individuals within organizations. BEC scams have gained notoriety for defrauding organizations out of money. However, BEC scams can also be used to obtain information from organizations — including W-2 and tax information.
“Based on complaint data submitted to IC3, B.E.C. victims recently reported receiving fraudulent emails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information prior to a traditional BEC incident,” the warning read.
A “traditional” BEC attack starts with a fraudulent request that is sent utilizing a high-ranking executives spoofed email. In this case, the email is sent to a member of an organization who handles employee W-2 and tax information. The email will appear to be an urgent message requesting all employee W-2 information.
This is what happened at Sprouts Farmers Market, which is facing a class action lawsuit after an employee fell for a BEC scam and forwarded W-2 information on all 21,000 of the company’s employees to a malicious actor.
Protecting Yourself From Tax Fraud
One of the biggest vulnerabilities we face concerning our data is that it is handled by other human beings. Humans make mistakes, and cybercriminals capitalize on this. Since corporations cannot guarantee your data will be safe in their hands, you must remain vigilant and prepare yourself for the possibility that your tax information could be stolen.
Here are a few tips on protecting yourself from tax fraud in 2016:
File Your Taxes Early: The early bird gets the worm; this also rings true when filing tax returns. If you file your tax return before a criminal does you’re in a much better position, as the tax return will already be marked as filed, preventing anyone else from filing a tax return with your credentials.
Avoid Password Reuse: Poor password management is one of the leading problems in cybersecurity. Remembering passwords can be cumbersome, so we do what is in our nature — we take shortcuts. Unfortunately, taking shortcuts on password management can lead to many problems. Employees have historically been shown to use the same password across several accounts, which could leave an organization vulnerable to compromise. In this scenario, a cybercriminal could obtain an employee’s login credentials from another site (Facebook is a good example) and use it to log into several accounts — even the employee’s account within an organization. Make sure employees are aware of the problems with password reuse. Also, make sure passwords are utilizing capitalization, numbers, symbols and are at least 8 characters long. Organizations can take this one step further and enable two-factor authentication, which would require an additional login step before employees, or malicious actors, could access accounts.
Educate Employees About BEC Scams: Employees are one of the primary targets in tax fraud. It is vital that employees understand the dangers of opening attachments from unknown sources. It is equally important that employees question unusual requests — like what you would see in a BEC scam email. Make sure employees understand that it is okay to ask questions before performing job functions, especially if that job function was requested via email. Before sensitive information is accessed, put in place checkpoints to make sure this information is only being shared with authorized and legitimate personnel.
Deploy Security: While there are plenty of examples that show security tools are not a 100% guarantee of protection, features such as firewalls and antivirus software are paramount when it comes to securing your data. It is also important to make sure these tools and other software — such as your operating system — are current on updates. The latest updates could provide patches to vulnerabilities in older versions of the software.