Threat Management

Even as the government shutdown ends, expect a spike in IRS phishing attacks

By Monica Pal, CEO, 4iQ

The longest government shutdown in American history may have ended (for now), but the effects of the shutdown are likely to be felt for quite a while.

Many of our nation’s most critical agencies were left understaffed and vulnerable while a political staring contest took place on Capitol Hill. Despite the resumption of normal operations, these agencies are reeling from a backlog of work, and it will be long before operations are truly normalized. Though the alphabet soup of Washington’s departments and agencies may appear unrelated to the lives of ordinary citizens, there is one agency in particular whose function is deeply entrenched in the well-being of every American: The Internal Revenue Service (IRS). While technically on a three-week hiatus, the shutdown has had a destructive impact on the functionality of an agency already littered with its own institutional problems and security concerns.

Ever a lucrative target for cybercriminals and hackers, the government shutdown came at one of the worst times of the year – just as the tax season was beginning and individuals were starting to prepare their filings. Phishing attempts have spiked in recent years, and with the IRS unable to offer as much protection due to the shutdown, taxpayers are especially vulnerable. According to the IRS, over the last year there was a 60 percent increase in illegal email schemes attempting to steal money, financial data, and/or tax information. 2018 saw well over 2,000 instances of these attempts, compared to approximately 1,200 incidents in 2017. The lack of proactive protection, coupled with IRS workers being furloughed, has left our private data devastatingly at risk.

During the shutdown, Senator Ron Wyden (D-OR), of the Senate Intelligence Committee, inquired in a letter to Treasury Secretary Steven Mnuchin and IRS Commissioner Charles Rettig about the impact the shutdown was having on their operations, specifically pertaining to cybersecurity.

“Is there increased risk of taxpayer ID theft if IRS tries to maintain normal operations during a shutdown?" Wyden, who's also the ranking member of the Senate Finance Committee, asked in the letter. "For example, if IRS is working with a skeleton staff as a result of the shutdown, is there an elevated risk that cybercriminals filing fraudulent returns with stolen taxpayer identities will be able to steal taxpayers' refunds? Will IRS be able to detect, let alone thwart, these fraudulent attempts?”

The IRS typically assists in dealing with phishing attacks. Part of the agency is responsible for assisting targeted individuals and providing advice to the public. Generally, scams should be reported to the Federal Trade Commission, however, they were critically shorthanded as well – even the link for reporting attacks was broken.

Though the IRS recalled a “significant portion” of its personnel to work without pay during the shutdown, there will still be little support for much beyond essential services, meaning little help for responding to minor attacks and phishing scams. According to a congressional aide, 14,000 of the 26,000 staffers recalled to work without pay at IRS processing and call centers did not arrive to work during the shutdown. It has also been reported that the shutdown will force certain functions of the tax processing systems at the IRS to be delayed for up to a year. Furthermore, the IRS purportedly experienced high turnover within their information technology division - approximately 25 IT staffers resigned in search of other jobs.  Additionally, the agency lost two dozen more employees due to retirements. If there is another shutdown in two weeks, which seems likely, the issue will only be further prolonged.

Fortunately, there are some ways to protect yourself. Basic security hygiene applies: make sure to never open links or attachments from unknown or suspicious origins, as both are potential sources of malware. Use strong passwords, security software, and multi-factor authentication. Hyperlinks could even send you to an imitation website. Should you enter your information, cybercriminals could use it for the purposes of identity fraud; they could even sell or auction it to other criminals on the deep or dark web. Even more worrisome, taxpayers should be aware the IRS does not initiate spontaneous contact, asking for personal or financial information. Any emails you receive asking for your information purporting to be from the IRS should be disregarded.

The era of digital privacy is long gone. Taxpayers need to be aware phone scams, or ‘robo calls’, have become increasingly common. If you receive a phone call or text message from someone claiming to be from the IRS, you can rest assured it’s a scam. These scammers often attempt to intimidate or scare the victim by threatening legal fees, arrests, criminal charges and even deportation. Just hang up or delete the text message. The IRS corresponds through email only and will never call or text demanding payment. Be sure to share this information with elderly loved ones, since they are often vulnerable and targeted.

Many people tend to be overly confident in their ability to identify and avoid phishing attacks. After all, those Nigerian princes never did fool you, right? Interestingly enough, data suggests those 55 and older significantly outpace those aged 18-29 in their ability to spot phishing scams. It seems we would be wise to conduct ourselves online with a healthy dose of humility and skepticism. That said, the elderly who have entered retirement are still the most vulnerable class of citizens. Scammers view the elderly as more likely to be lonely, and hence more willing to listen and trust than younger individuals. In the interest of protecting your loved ones, please make sure to broach the subject with your parents, grandparents, or anyone who might be especially vulnerable to such phishing attempts.

As our technology becomes increasingly connected, security attacks have become increasingly dangerous. Most individuals tend to reuse the same password over multiple accounts or devices, enabling data exfiltration to rapidly spiral out of control. Even more alarming, the amount of real-world damage due to the loss of data or personal identification has multiplied exponentially over the last decade. Unfortunately, our virtual protection is still very much tied up with real-world security, and even more terrifyingly, with politics. With the IRS feeling the effects of the shutdown and tax season kicking into high gear, we need to be on our guard more than ever.

Monica Pal is the CEO for 4iQ, a cyber intelligence company operationalizing the intelligence cycle from open source collection and data fusion to secure collaboration on complex ongoing investigations.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.