Just because death and taxes are a certainty, it does not mean that individual and business taxpayers need fall prey to the growing raft of tax-related scams that experts have seen recently.
Cybercrime rings have utilized a variety of tricky email- and online-based approaches to steal privileged data or funds, or just to infiltrate the networks of their victims, under the guise of the IRS.
“Not all tax-themed campaigns spoof the IRS, but of course, doing so provides the threat actor with a level of perceived authority,” said Joseph Gallop, intelligence analysis manager for Cofense, whose analysts have research and discovered new tax-related attack vectors.
“If email users are properly trained to recognize phishing emails, however, spoofing the IRS can work against the threat actor,” Gallop added.
The IRS itself specifically states on its website that it “does not initiate contact with taxpayers by email, text message, or social media to request personal or financial information,” Gallop pointed out.
Despite the fact that any such communication received by taxpayers should be “immediately considered suspicious,” people still receive the news with concern.
Shirley W. Inscoe, strategic advisor for the fraud and anti-money laundering practice at Aite-Novarica Group, said that every year she has seen people “filing their taxes, only to be informed their taxes were already filed by an identity thief who wanted a juicy refund.”
Indeed, Inscoe cited that 3% of U.S. taxpayers reported that their state or federal taxes were filed by an identity thief in 2021, according to a survey of more than 8,500 U.S. adults in the first quarter of 2022, conducted by ANG.
“We are seeing more of a rifle approach than a shotgun approach in some [tax-related] email scams,” Inscoe added. For instance, targeting university staff and students whose email addresses end in “.edu” suggests that scam artists “continue to refine their attacks and that they are becoming more sophisticated,” she said.
In addition, “we always see an increase in the number of phone calls [this time of year] made with the caller claiming to be an IRS agent,” Inscoe added.
In general, the primary goal is to steal personally identifiable information (PII), but if they can also obtain the taxpayer’s PIN, “they can also file with the IRS impersonating the victim,” she said. “Scams are becoming more sophisticated and are more targeted to certain segments of the population.”
Playing to the fears surrounding audits and costly legal actions surrounding tax issues, many bad actors have attempted to “intimidate the person they’ve called or emailed, threatening them with an audit if they don’t cooperate,” Inscoe said. And this approach all-too-often ropes in people who would “usually know better given time to reflect, [and they] may fall for these threats.”
Another revamped and resurrected tax-connected threat is the Emotet botnet, which in the past has infected tens of thousands of U.S. consumers and businesses, according to Gallop. This generic (but effective) botnet has added a “tax-themed phish” element this year, he said, after last year, when hackers used the botnet in tax-season phishing campaigns related to...stimulus payments.”
Emergence of "taxtech" industry aimed at automating and securing tax payments
One way that financial institutions, tax preparers and their customers can mitigate the risk of these attacks in the future is by working with the emerging movement of developers and vendors (for IT security and automation) related to taxes.
Just as fintech and regtech have created a booming market for technologies and strategies related to nascent financial and regulatory technologies and support, there is a fast-emerging “taxtech” industry, aimed at making tax payments more automated and more secure. The report details examples of available tax technologies and reviews possible applications that may deliver tangible efficiency gains for individuals, businesses and regulators. It also highlights investors’ appetite for this space.
In the past year, investments in taxtech solutions worldwide have nearly quadrupled from $240 million in 2020 to $864 million in 2021, according to Deloitte. Indeed, Deloitte and venture group Team8 recently partnered to launch their own taxtech business. The united pair recently released a report, dubbed "The Emergence of TaxTech-A New Era of FinTech," which looked at more than 100 companies involved in taxtech.
“Tax season in the digital era has become a huge challenge for individuals or businesses who are burdened with gathering and filing tax statements spread across a multitude of financial apps, banking services, and other platforms,” said Ronen Assia, managing partner at Team8, in a prepared release.
Better consumer education is key, according to Inscoe, who added that financial institutions should tell customers that “the IRS does not routinely call, text, or email people. There should also be a mechanism to ensure that tax refunds can only be deposited to an account in the name of the person receiving the refund,” according to Inscoe.
Consumers without bank accounts could receive refunds via a stored-value card, said Inscoe. And, if fraud was detected quickly, “balances on such cards could be frozen until a brief investigation was performed to ensure the filing was valid.”