For most Americans, Tax Day (April 15) is a dreaded, recurring deadline (or headache) on the calendar that many will put off and scramble to meet in time. But for cybercriminals, it’s the perfect time to deceive victims out of their hard-earned money and valuable personal and financial data.
And as you may have suspected, hackers are getting more sophisticated in their attempts to trick and steal leading up to Tax Day. In recent weeks, AppRiver reported that a tax-themed phishing attack is already underway. Attackers have posed as the popular global human capital company, Automatic Data Processing (ADP), and are trying to reach users to tell them their W2 is ready.
Links in the email lead users to domains that were registered that day, and ask for users’ ADP login credentials. From there, malicious hackers will use those credentials to log into the real ADP portal and attempt to alter direct deposit forms and redirect funds to a fraudulent account. They may also find tax documents to file a phony tax return and steal the user’s tax refund, or simply gain access to their banking information.
Another email campaign was also recently reported. It simply tells users their signed W9 tax form is ready. Clicking the attachment directs them to Microsoft Word, which then asks them to ‘enable content,’ which then infects their computer with the Emotet trojan.
In another tax-related fraud event, last year TurboTax experienced a data breach that compromised an undisclosed number of users’ tax returns. Hackers used a method called credential stuffing – where they used login information from previous data breaches to gain access to TurboTax user accounts.
The following helpful tips will help protect you during Tax Season.
File taxes early
Most tax returns are filed within the last possible weeks before the deadline, but those that file early leave a smaller window of opportunity for hackers.
Power up your passwords
One of the simplest, and most often overlooked, lines of defense against cybercriminals is password strength. Despite being fair-warned time and again, many Americans have simply ignored expert guidance, but it’s never too late to amp up your password game with the following:
- Do not reuse the same password on multiple websites
- Create passwords that are long (16 characters) and impossible to guess
- Change your passwords routinely
- Consider using an encrypted password management tool that generates random passwords for you
- Utilize multi-factor authentication whenever available
Be suspicious of financial emails and their attachments
It’s important to remember that the IRS will never initiate contact through email, text or social media to request personal or financial information from taxpayers.
- Watch out for emails that appear to be from a trusted banking, accounting or financial source and contain an urgent message or instructions.
- If questionable, do not click links, download software or apps from within the email or in pop-up ads.
Maintain strong security practices on your computer
Be sure to use security software that updates automatically, along with encryption programs to protect sensitive digital data. Users should also take advantage of multi-factor authentication as often as possible and always backup files.
Sign up for scam alerts
Staying aware of new scams will strengthen defenses. The FTC offers consumer email alerts as they uncover new scams, many which are tax related.
With a little extra prevention, you can drastically reduce the chances you’ll fall victim to tax or cybersecurity fraud this year.