By Dodi Glenn for AccountingWeb
‘Tis the Season for Data Breaches and Tax Scams
Tax season is well underway, making it one of the most popular times for individuals to become victims of scamming efforts, and companies and accounting firms to experience data breaches. According to the IRS, tax refund fraud is expected to soar this tax season, hitting $21 billion this year from just $6.5 billion two years ago.
But what makes tax season so popular for people to become victims of scamming efforts? Hackers see it as a prime opportunity to socially engineer victims due to the nature of tax season itself – people are expecting money back on their returns. Additionally, people are filling out forms, either by paper or online, which contain sensitive information, such as social security numbers, bank numbers, and more. This gold mine of Personally Identifiable Information (PII) to steal and sell in the black market yields a high return for hackers.
Recent Breaches
In January, TaxAct reported about 450 customers may have had personal and tax return information stolen by cybercriminals. More recently, TaxSlayer reported 8,000 of its customers’ personal information may have been compromised. Both vendors claim that usernames and passwords that were used to compromise customer accounts were taken from a third party vendor.
Best Practices
Companies like TaxAct and TaxSlayer are gold mines for PII, since they often contain names and addresses, Social Security numbers, bank account information, and other data contained on tax returns. Vendors need to be conducting regular security audits of their systems, including but not limited to penetration testing. They need to perform code audits on the software they are shipping, whether it is downloadable or on the web, looking for vulnerabilities well before the hackers do. When they house this much PII, they take on a greater responsibility of protecting data.
Just as important, companies need to make sure they are educating their users on best practices for both avoiding a breach, and handling one. Employees should be trained on how to spot these types of attacks. Additionally, companies should have a strategic plan already in place in the event that a breach happens.
Customers are unfortunately at the mercy of the vendor so there’s not much one can do to prevent their data from being stolen. However, at the very least, here are some proactive tips:
• Utilize a credit monitoring service
• Be cautious about what you are clicking on and downloading – during tax season, you might receive a fake email from the “IRS”, asking you to fill out a form online with your PII, or to download and run an attachment which contains malware.
• Ensure usernames and passwords are not the same for different accounts (e.g. your login for your Chase bank account should not be the same login for your Wells Fargo mortgage account, etc.)
• Make sure your computer is patched by running Windows Update
• Make sure your computer is running an antivirus application and that it is up to date
• Be aware if you owe money on your tax refund
• Use a trusted, reputable tax professional
• Turn in any questionable activity to the IRS or your accountantUnfortunately, these scams won’t go away. We’ve seen them in prior years, and will continue to see them in the future. Companies and individuals need to be more proactive in the ongoing battle against data breaches and scams.