As Tax Day approaches, cybercriminals may prey on anxieties and upcoming deadlines to target and deceive individuals, businesses, and government entities.
According to data collected by the Federal Trade Commission’s Consumer Sentinel Network (opens a new window), 2.4 million cases of fraud were reported in 2022, generating $8.8 billion in total consumer losses. A common goal of fraudsters, especially those that use cybercrime tactics, is to obtain personally identifiable information about individuals.
Tax season offers especially lucrative opportunities for cybercriminals. In the run-up to Tax Day — which, in 2023, will fall on Tuesday, April 18 — criminals may target online tax software, accounting firms, and businesses’ HR/payroll units to either steal funds and/or collect protected data and taxpayers’ personally identifiable information, such as Social Security numbers.
For example, Internal Revenue Services (IRS) was targeted in 2015 when hackers successfully stole the personal information of roughly 100,000 taxpayers by downloading software offered by the IRS to American taxpayers. The data included several years of past tax records and personally identifiable information, later used to submit fraudulent tax returns totaling approximately $39 million (opens a new window), according to Senate testimony by the Commissioner of Internal Revenue.
Common tax season threats
Organizations can be targeted through a variety of methods:
Deception via emails, texts or social media. Cybercriminals often use email, and now more increasingly texts or direct messages through social media channels to deceive an individual into providing protected and confidential information and/or funds. Sometimes these deceptive messages can also lead the recipient to click on links or open attachments that result in malware being installed. With respect to tax filings, human resources employees are often targeted into sharing employees’ W-2 forms and/or installing malware to gain access to an organization’s internal networks. With the employees’ W-2 forms and personal information, cybercriminals can file false tax returns and steal refunds — and identities. They can open credit cards in employees’ names, file for unemployment benefits or sell the data. These types of messages can also lead to malware, including ransomware which can severely impact the organization and its business operations.
Telephone scams. Both the IRS (opens a new window) and Federal Communications Commission (opens a new window) have warned taxpayers about the possibility that they will be targeted in telephone scams during tax season. Cybercriminals impersonating individuals working in payroll or HR may reach out to other employees within the same organization. Cybercriminals can also impersonate the IRS, threatening unsuspecting individuals that their Social Security numbers will be canceled or suspended, or demanding that the unsuspecting employee in HR, for example, turn over taxpayer information for certain employees. It’s becoming increasingly easier to access artificial intelligence tools to impersonate human voices, making it difficult for targets to detect scams.
Malware through online platforms. Some organizations issue tax forms to employees through third-party services that allow employees to access their tax documents via online portals or software. Through social engineering or phishing, hackers or other bad actors can mimic the login information of an organization’s employers, through which they can obtain important documents and statements, then implant malware into these files, putting the organization’s network at risk. A simple request to review a document for accuracy can initiate an immediate attack or allow a cybercriminal to begin to monitor the network until they believe it’s the right time to steal and act on the sensitive data.
Targeted industries
Cybercriminals go where the money is, targeting organizations that hold potentially valuable — and lucrative — personally identifiable information and protected health information. For this reason, retail, healthcare and financial services organizations have historically been seen as high-risk industries. In the context of tax season schemes, bad actors often focus on companies with an inordinate amount of W-2 paperwork, such as financial institutions and tax service providers. They also often directly target large employees across several industries. In 2017, for example, criminals obtained W-2 information and Social Security numbers (opens a new window) for the employees of two healthcare organizations. In one case, a cybercriminal impersonated an executive staff member to obtain information for about 1,400 employees. Using this approach, criminals can obtain taxpayers’ information, which they can later leverage to demand ransoms from organizations or commit identity theft, therefore continuing to manipulate those organizations’ networks.
The human factor
Human error remains one of the most common causes of cyber incidents. For example, 82% of data breaches in the year ending Oct. 31, 2021, involved the human element (opens a new window), according to Verizon. The remote working environment that has developed since the start of the COVID-19 pandemic exacerbates this risk (opens a new window), contributing to an uptick in phishing attacks. Individuals working from home, for example, are less likely to double check requests for important or sensitive information, as they may not be in an “office” or “work” mindset. Responding to emails on mobile devices after work hours can also lead to human error, as individuals often quickly respond without second guess or review.
In addition, the IRS reported that 90% of individual tax returns were filed electronically in fiscal year 2021 (opens a new window), which makes clear the opportunity for threat actors: With more individuals and organizations using email and the web to send confidential and valuable financial information during tax season, hackers have more incentive to target this time of year.
Depending on the jurisdiction, here are also several holidays with extended weekends in the runup to Tax Day. Dr. Martin Luther King, Jr. Day, Presidents’ Day, and other holidays present opportunities for hackers to capitalize on due to individuals being out of office and not being able to detect incidents as they would if they and their information technology and security teams were in the office.
Managing risk
Organizations can take several steps to mitigate these types of risks. Among other actions, organizations should:
Train employees and leadership, including
Conducting simulated phishing exercises.
Explaining how to scrutinize any requests for employees’ personal information or tax documents.
Verify payment instructions, including building verification and authentication procedures and policies for funds transfers or personal information requests.
Employ good cyber hygiene practices, such as:
Establish principle of least privilege – evaluate who is using and/or sharing tax documents, Social Security numbers and other personally identifiable information and evaluate whether they need such access to perform their job functions.
Ensure the use of unique passwords, particularly for HR portals, which should not be shared, and require that HR encrypt all tax-related documents before sharing them with employees.
Regularly back up enterprise data, use offsite storage, and encryption.
Deploy endpoint detection and response tools.
Segment network and infrastructure.
Establish regular patching cadence.
Require multifactor authentication.
Use antivirus software.
Create and regularly update incident response and business continuity plans.
Audit your contracts with vendors and other third parties that store, have access to and/or share your organization’s data.
Insurance considerations
Depending on the nature of a specific event, various coverages may be implicated. Crime policies may offer cover for loss of funds because of social engineering, as may a cyber policy. Cyber insurance also can come into play for expenses to investigate, remediate, and mitigate an incident where an organization’s systems and/or protected information are compromised as a result of falling victim to a tax season related scheme. Depending on the nature of the incident and resultant claims, other policies may be implicated as well, so it is essential to work with your broker to ensure proper notification to your insurance policies.
Additionally, some cyber insurers offer pre-incident services to policyholders, including penetration testing, phishing and social engineering simulations, employee training, incident response plan development and tabletop exercises. An organization’s broker can help facilitate the dialogue with the organization’s insurer about any loss control service offerings available as a policyholder.
For more on this topic, please contact your Lockton advisor or email cyber@lockton.com (opens a new window).