Tax Season Scams: How They Work and How to Avoid Them

Mar. 17, 2017 | by BioCatch

Benjamin Franklin famously said: "In this world nothing can be said to be certain, except death and taxes." Unfortunately, in today’s modern world, a third certainty is that there will always be those who try to cheat individuals out of their hard-earned money. 

At no time is this more of an issue than around tax time. According to Forbes, IRS scams are one of the top social engineering threats of 2017, and indeed every tax season, in no small part as a result of the stress and anxiety that many tax payers already feel during that period.

Phone-Based Scams

The key to any successful social engineering scam is to have enough information about the target to successfully convince them that the scam is legitimate. IRS scams are no different, with the scammers armed with enough information to convince the intended target they represent the IRS. To add to the deception, many scammers will use a spoofed phone number to make it appear as if they are calling from Washington, D.C.

Once the victim is convinced they are dealing with the IRS, the scammer then tells them there is a past tax debt due that has gone unpaid. The supposed debt is usually small enough that the average family is able to come up with the amount. Add a few threats as to the consequences of not paying and many individuals will come up with the money in an effort to avoid trouble. To ensure the payment is one-way, the scammers will insist on a transfer method that is untraceable and non-refundable.

Email Scams

Another popular way to dupe people during tax season involves sending them an email with a malicious attachment. With this type of scam, the email is designed to look like an official IRS email, complete with instructions for the recipient to carry out.

According to Trend Micro, one such scam involved sending the user a ZIP file with instructions to open it and fill out the attached IRS documents. In reality, the ZIP file contained malware designed to steal financial information and banking credentials from the user’s computer. Another example involved an email asking users to fill out and print the attached tax forms. In reality, attempting to print the forms triggered their transmission, along with all the sensitive data they contained, to the scammers.

How Consumers Can Protect Themselves

As with all potential scams, protecting oneself or company involves common sense and an understanding of how the IRS communicates. In the case of phone-based scams, the IRS does not call people making threats, or demanding immediate payment through untraceable means.

For scams involving online transactions and social engineering, few methods are as effective as behavioral biometrics. Because many email-based scams rely on the user-triggering malware that carries out predefined tasks—and without any further interaction from the user—behavioral biometrics are the perfect way to stop such action.

Behavioral biometrics software works by seamlessly and discreetly monitoring a computer or mobile device, using some 500 points of data to compare how a user ordinarily interacts with the device and flagging when something suspicious occurs. This approach can be especially useful in combating remote administration tool (RAT) attacks, and even vishing attacks, where the user is tricked on the phone into logging on to their online bank account to transfer money, as a recent success case demonstrated. The basic RAT attacks rely on social engineering to convince the user to give the scammer access to their device via a built-in, operating system-level tool—a tool that by definition would not be flagged by most anti-malware software. The more sophisticated vishing attacks don’t rely on software at all; but behavioral biometrics technology can recognize if a user does not behave as they normally do.

Behavioral biometrics can even be used at the ISP level to seamlessly detect and prevent RAT attacks before they become a problem for the customer. A British ISP, TalkTalk, recently discovered how difficult a challenge this can be without the aid of biometrics when the company blocked access to the popular TeamViewer remote desktop management tool. Despite the fact that hundreds of scammers were attempting to use the tool to defraud TalkTalk customers, there were many more customers using the software for legitimate purposes, leaving many with no way to conduct their business, and some even threatening to abandon TalkTalk for another ISP. With behavioral biometrics, such a fiasco could be avoided by working in the background without inconveniencing legitimate users or requiring them to abandon software they rely on.

Without a doubt, this time of year is a favorite of scammers. Preying on people’s desire to stay out of trouble and the anxiety that goes along with tax season, scammers are able to bilk people out of thousands of dollars per incident. For businesses, the price tag is even higher with an average cost of $43,000 per account.

While Benjamin Franklin may have lamented the inescapable nature of taxes, an even older proverb holds the key to avoiding the scams that go hand-in-hand with tax season: ‘To be forewarned is to be forearmed.’ By using good common sense, knowing how the IRS does and does not communicate and using behavioral biometrics, individuals and corporations alike can avoid becoming another cybersecurity statistic.

Topics: Fraud, Cybersecurity, Behavioral Biometrics, Malware