It’s tax season, and many businesses are worrying about the IRS. But according to tax and cybersecurity experts, they should be worrying about people who aren’t the IRS.
Tax season is a minefield of scams, with identity thieves and cybercriminals taking advantage of anxiety, scare tactics and taxpayers’ desire to stay on the right side of the law.
With that in mind, the IRS wants everyone to know what it won’t do.
The IRS won’t call, text or email you to ask for your personal or financial information. The IRS won’t deposit money in your bank account then demand you pay it back by wire transfer or gift card. The IRS won’t call to threaten you with arrest, deportation or suspension of your business license.
All these tactics, according to the latest tax scam alert from the IRS, are part of a criminal scheme claiming victims this tax season.
“After stealing client data from tax professionals and filing fraudulent tax returns, these criminals use the taxpayers’ real bank accounts for the deposit,” the IRS alert says. “Thieves are then using various tactics to reclaim the refund from the taxpayers, and their versions of the scam may continue to evolve.”
In one version of the scam, criminals pose as debt collection agency officials acting on behalf of the IRS. They’ll tell the victim their refund was deposited in error and demand that they forward the money to a phony collection agency.
In another version, the taxpayer who received the erroneous refund gets an automated call with a recorded voice pretending to be from the IRS and threatening criminal charges, an arrest warrant or “blacklisting” the taxpayer’s Social Security number.
Caller IDs are often altered so the call appears to be coming from the IRS, further confusing victims.
Overwhelming and traumatic
“I have family members and clients who have received some of these false telephone calls — it actually is a very overwhelming and traumatic experience,” said Jordan Empey, tax partner at SKR+Co.
His advice: “Just stay calm, call a professional, call people that you trust, and don’t overreact. What these people are really targeting is an instant reaction and you sending them money. You want to stay cool-headed and find out the facts.”
The sheer volume of attacks and the range of tactics criminals use is concerning, Empey said.
“It’s important to be aware. My motto is ‘If the CIA can get hacked, anybody can get hacked,’” he said. “It’s not something to be fearful of and stop operating, but you want to take precautions and be aware of emails with links, be aware of things that don’t look normal, and use common sense a little bit more.”
The phone scam is evolving and criminals are getting more sophisticated, according to Rick Lucy, director at BKD CPAs and Advisors.
“I’ve heard of where [scammers have called and] demanded payment and when you hang up on them, the next one will call you almost immediately and say they’re from the El Paso County Sheriff’s Office and that you’re going to be arrested unless you provide the information or pay the money,” he said. “The trick here is the IRS will not call you out of the blue; you will get a letter. They will not ask for money, they will not threaten law enforcement and they shouldn’t be asking for personal information over the phone.
“If it says IRS on your caller ID, it’s often best to just let your voicemail pick it up and then you can decide whether or not you want to respond to it. It’s a good tip [to defend against] all scammers.”
Other criminals work phishing attacks via email, looking to steal personal information, account numbers and W-2s. But, Lucy said, the IRS will not email individuals or businesses unexpectedly.
“Usually when you see something from the IRS most of us get sort of shaky because we’ve been trained to be nervous,” Lucy said. “I would recommend not opening emails claiming to be from the IRS that come in out of the blue. And if you do get something from the IRS that you might be expecting, you should hover [the cursor] over any hyperlinks in the email to verify they’re actually from www.IRS.gov, because the hyperlink … may lead somewhere else.”
HR, payroll prime targets
Business owners, human resources and payroll departments need to be especially vigilant because the wealth of personal and financial information they hold makes them prime targets.
Lucy recounts the cautionary tale of the Colorado company that was contacted by someone claiming to be the IRS.
“They said the W-2 file was corrupt, and the HR/payroll department went ahead and re-sent the entire payroll/W-2 file — all of their employees’ payroll and personal data — to a scammer,” he said. Using that information, the identity thief then filed for refunds pretending to be those employees.
“It’s very easy to fall prey, because the IRS is like the big hammer of Thor,” Lucy said.
People are generally eager to comply with anything the IRS demands. Scammers count on it.
Lucy’s advice: “Be vigilant. … Be attentive as to who you’re talking to and make sure you know who’s on the other end of the phone or who’s on the website or who you’re dealing with. Try not to give out any business or personal information without establishing that trust first.”
“My motto is ‘If the CIA can get hacked, anybody can get hacked.’”
— jordan empey
According to Lucy, who is also the president of the Denver chapter of the Information Systems Audit and Control Association, if you think you’ve been the victim of a cyber breach or a scam, “the best thing to do is not to keep quiet.
“File a local police report,” he said. “Make a lot of noise. File a complaint with the Federal Trade Commission. You may want to put a freeze on your credit reports — all three of them. Get hold of the Inspector General for the Internal Revenue Service and let them know.
“The more noise you make, the better off everybody’s going to be. The odds of actually catching somebody are pretty slim, but if they’re following the same pattern in the same geographical areas you may be able to have some impact and prevent other people from having the same problems.”
Gina Sacripanti, VP of marketing and public relations for the Better Business Bureau of Southern Colorado, also urged business owners to be vigilant and ready to report any suspicious actions.
“Knowledge is the first line in defense in protecting yourself from being a victim,” she said. “Many consumers turn to BBB for information on whether a company is trustworthy or not. If you know of a victim or have been scammed yourself, report it on BBB Scam Tracker [bbb.org/scamtracker/us]. You will help us bring this information to the community and law enforcement agencies, as well as help protect your fellow business owners.”
In 2017, 3,119 tax scams were reported to BBB nationally, Sacripanti said. Of those, 29 were in BBB of Southern Colorado’s service area.
Empey said businesses should do due diligence to understand how their accountant protects personal information. On the highest level, accountants should have:
• At least one secure method to exchange documents, such as a client portal or secure email;
• Up-to-date security measures to protect information once it is transferred. This may include anti-virus, firewalls, spam filters and secure VPN connectivity;
• Current backups of stored data;
• Protocols for password protection and change requirements; and
• Training for staff on cybersecurity awareness and information confidentiality.