Are you procrastinating like many of your peers about filing your tax return? Waiting until the last minute to have your accountant work on your return even if you have a refund coming? If so, it may not be a good idea, since from December to March it’s tax scam season. If you don’t know what this special season is or that data shows that it peaks in March, read on.

Tax-related scams targeting both consumers and businesses are on the rise and there seems to be no respite in site. It’s getting so bad that the IRS published a warning in December describing variations on this scheme, along with some warning signs that we will outline below. These scams come in many forms, such as W-2 phishing, overdue tax payments and fraudulent tax returns, but before I give you tips on protecting yourself or your business, let’s take a closer look at one of these.

W-2 Phishing

In order for us to file our taxes, a W-2 is issued by our employer. Those of us who do consulting may receive a 1099 but there is not much of a difference to a scammer. In a previous article I described various email compromises and this scam is just a variation of the ones I outlined previously.

This scam is not like a general phishing, email which is usually not directed solely towards you and is sent to hundred if not thousands of people. The W-2 or 1099 scam involves hackers doing some homework about your company in order to obtain information about you and your co-workers.

How It Works

The attacker needs to do some homework about your company. They will usually find out who handles your payroll, either through social engineering (see previous articles) or even social media where your payroll manager may have their job responsibilities in their LinkedIn profile.

The next step is impersonating someone at an executive level within your company. Typically, the email appears to come from the CEO or CFO. The message is often written using the language you would expect from your senior executives. Many times, the hackers will create company email letterhead using your logo to add more legitimacy to the email.

The email is sent to someone that would normally handle payroll data as we described above. The scammer usually asks the individual to send the W-2s or 1099s directly to them because there is an urgent matter to deal with. Once all of the W-2s or 1099s are sent, they will use the information within them to perpetrate fraud, many times filing fraudulent tax returns with refunds (see below). Information may include employee social security number, name, address and income.

How Can You Protect Yourself?

Whether you are an employer, employee of a company or a consultant there are some tips that can help you minimize your chances of being defrauded by tax scams. The tips below can be shared with your employers, employees, clients and anyone else you retain tax information about.

If you receive any requests to provide sensitive employee information, verify that the requester is (1) legitimate and (2) really needs that information. Usually, CEOs don’t request W-2 or 1099 information about their employees.

If you receive an email from the IRS, remember that they don’t demand immediate payment or specific payment methods. Also, the IRS will usually send you an official letter in the mail if they require anything from you. Remember that the IRS probably doesn’t have your email address unless you correspond with them on a regular basis so they wouldn’t be able to send you an email in the first place.

If you receive a phone call demanding immediate payment for monies owed to the IRS, ask them for a phone number where you can call them back. This will usually end in them hanging up. If you have elderly parents or friends, make sure they never give the caller any specific payment method such as a credit card number, even if the caller states that they will be arrested for non-payment. Unfortunately, the elderly are usually the best targets of these scams, and remember that the IRS will first mail you a bill if you owe any taxes.

Use a tax preparer you know personally or through a trusted referral. Also make sure that when any confidential information is exchanged with them it is done in a secure way. Sending your tax return without it being encrypted or at the very least having it password protected is not a good idea.

Ask your tax preparer how they are protecting your information after you send it to them, especially if you are a business that sends large amounts of information to them. Ask them if they have a cyber security program in place that will stop would-be hackers from breaching or breaking into their computers systems and stealing your data.

If you prepare and file your taxes by yourself, make sure that the software you are using is legitimate. A new emerging twist to stealing your data is where hackers set up “free” tax preparation software on the internet, which only steals your information and doesn’t prepare anything except a fraud. Stick with brands such as TurboTax or H&R Block if you want to do this yourself.

File your tax return as soon as you are able to so you can submit it before a fraudster has a chance to file in your name. Unfortunately, many hackers have seized on this scam and will submit fraudulent tax returns with hefty refunds in the name of people whose information they stole as we described above.

In the final analysis, common sense still is the best defense against tax-return fraud. By remembering the tips above and keeping your confidential information safe, you will greatly reduce this and other forms of fraud.

By Moshe Zahler

Moshe Zahler is the co-founder of Proactive Cyber Security, LLC, which assists small- to medium-sized businesses in protecting their confidential and critical data. He has practiced cyber security for over 20 years and has worked for corporations such as American Express, Deloitte, Republic National Bank and HSBC Bank. He can be reached at [email protected].