The combination of tax season and the pandemic gives cybercriminals new ways to scam businesses and individuals. Here’s what you should know.
Key insights
- Many phishing scams and emails appear to be legitimate requests from reputable organizations.
- Cybercriminals looking to access your sensitive information will find ways to create urgency in hopes you will click a link and share your data.
- Consider simple tips to help you stay alert and resist phishing attempts.
Do you want to discuss your organization’s cybersecurity plan?
Tax season and the pandemic have combined to form a situation ripe for financial and tax-related scams. COVID-19 and subsequent stimulus funds have provided new ways for cybercriminals to steal personal information, spread malware, and take advantage of unsuspecting businesses and individuals.
As you prepare your tax returns in 2021, keep these examples of potential cybercrime on your radar.
Watch for popular phishing scams
IRS: Action needed now!
You may receive a legitimate-looking email that supposedly came from the IRS. It might convey urgency that there’s something wrong with your tax return, or that you can receive an early stimulus payment if you act now. This is one of the most common phishing scams, and can also be one of the most damaging.
Similarly, you may receive a phishing email branded like a popular tax software company, informing you that your account has been locked. In these instances, the goal is to entice you to click on a link and submit personal information that can be used to gain access to your sensitive accounts.
Requests to update your tax filing information
Another scam email claims you need to update your “tax filing information” on your tax return. Most of these phishing emails contain a link to a fake — yet legitimate-looking — website (often called a “spoof” site) where cybercriminals capture and then use your personal information. In some cases, rather than sending a link, a scammer will attach a professional-looking form and instructions to return the document with your personal bank account information.
“A tax payment has been deducted from your account”
An unexpected notification that money was deducted from your account will come as a shock to almost anyone. Naturally, many will click on an attachment or link disguised as a deduction receipt. This “receipt” contains a malicious file that allows cybercriminals to gain access to your personal bank account information. Before clicking on any links or opening any documents, contact your bank to see if there are any signs your account was compromised.
Remember, the IRS will never reach out to business owners directly by phone or email. If this happens to you, it’s likely a hacker is attempting to gain access to your information, accounts, and systems.
Fake charities
Following a major crisis or disaster, scammers often try to exploit a business’s goodwill efforts to support worthwhile causes. These criminals pose as charities or concerned individuals seeking your help, and ask you to provide personal financial information, online payments, your Social Security number, or even cash through the mail.
Consult the IRS’s online feature to look up legitimate tax-exempt organizations.
Knowing is half the battle
Keep these tips in mind to help your business, finances, and employees stay on the lookout for scams:
- The IRS will always contact you via a 507IC letter, not by phone or email.
- Beware of emails containing typos or addressing you as “sir,” “madam,” or “taxpayer.”
- Do not click on any links or open any attachments claiming to be from the IRS “Income Tax Department” or your tax preparation company.
- Report any emails claiming to be from the IRS by forwarding them to phishing@irs.gov.
- Never respond to unsolicited emails requesting copies of personal documents.
How we can help
Being aware and staying vigilant are the first lines of defense in protecting your tax information from cybercriminals. However, the risk still exists. At CLA, we can help you determine your organization’s level of risk, compliance with cybersecurity protocols, and preparedness to respond to a cybersecurity attack.