‘Tis the season for tax scams

Death and taxes ... and hackers.

As this year's tax day (April 18) approaches, we expect nothing less than a full-on scramble to get those 1040s in order. Likewise, C-Corp tax returns are due April 15. And whether you're a single filer, married and filing jointly, or filling out an 1120, now is the time to be extremely cautious about who you share your personal and business information with. 

Just like every year, tax scammers are at large. While some of their devious tactics can be spotted from a mile away if you know what to look for, others are far more sophisticated, and rooted in historical cases of data theft. 

Vishing, phishing and fraud, oh my

Without fail, around this time every year hackers start tapping into their old book of tricks. One of the most prevalent and well-known tactics is called vishing (also known as voice phishing). These scams involve fraudulent phone calls in which the dialer pretends to be from a legitimate organization. During tax season, the falsified identity of choice is "an IRS agent." Fraudsters will pose as representatives from the government agency claiming the call recipient owes money, and needs to pay immediately. They may then request payment information or provide an account number to wire money to.

Some vishing scams are harder to spot than others. For instance, an owner of a child nursery in the U.K. received a fake call from someone claiming to be her bank's fraud unit. They told her to transfer money into new accounts they made for her because her primary account had been compromised. Actually, they were hackers tricking her into wiring more than $120,000 to their own accounts.

IRS-themed vishing scams – and for that matter, phishing scams – on the other hand, are incredibly easy to spot. The reason? The IRS will never contact a taxpayer by phone, email, text or social media to request personal information. In other words, it's a dead giveaway of a scam if someone claiming to be from the IRS reaches out to you at all. If any doubts exist, hang up or close out that email, and call the IRS. Don't download any attachments, don't click on any links and definitely do not share your personal information. 

Beware of calls from IRS: The person on the other line is not who they claim to be. Beware of calls from IRS: The person on the other line is not who they claim to be.

Identity theft: When hackers bring in the big guns

"PII has a long shelf life on the dark web."

Last March, we wrote about an IRS breach that we referred to as "the Hydra of cyberattacks." The IRS initially reported that hackers stole $50 million in tax refunds by using pilfered personal information belonging to about 100,000 taxpayers. A few months after the initial announcement, the IRS raised the figure to 334,000 people. Another three months passed, and that number more than doubled to 724,000 taxpayers.

How hackers stole all the information they needed to access tax information is unclear, but it was most likely through a combination of prior phishing scams and data breaches. It's believed that hackers used previously pilfered PII to access tax history through an IRS web portal called "Get Transcript." Once inside, hackers could file as that person, or reroute refund checks to a different address. 

The unfortunate truth is that a lot of PII has a long shelf life on the dark web. Personal data that was stolen years ago, possibly even in a breach that was never detected, can be used at any time for nefarious purposes. Identity thieves will pay top dollar for this information in deep-web marketplaces. When and how they use that data is really up to the buyer.

The fact is, the moment an organization's or individual's information breached is just the beginning of stolen data's journey into dark, well-veiled corners of the web, and onto some fraudster's private server, until one unfortunate tax day, it makes a very inopportune reappearance.

Long story short, cybersecurity doesn't just protect a business's interest; it also protects the entire tax-paying population's data.