This week is Tax Identify Theft Awareness Week in the U.S. As tax filing season kicks off, it’s important to be on the lookout for tax scams. For the past few years, the Internal Revenue Service (IRS) has issued a Dirty Dozen list of tax scams, which in 2018 included phishing, fake charities, and return preparer fraud. The Equifax and Marriott data breaches may also lead to an uptick in tax fraud this season.
Here are some ways you can protect yourself. We encourage you to share these tips with your colleagues, family, and friends as appropriate.
File as Early as Possible
Even though tax returns are not due until April 15, we recommend filing as soon as possible to get ahead of potential fraudulent filings submitted on your behalf.
Be Vigilant About Suspicious Emails, Phone Calls, and Text Messages
Email scams may claim to be from the IRS or others in the tax industry, including tax software companies. These emails may ask the recipient to update or provide important information via a link to a website that appears to be an official IRS website but is actually fake. In addition, some of these websites may contain malware.
The IRS urges anyone who believes they may have received a fraudulent tax email to not click any links in the email and to forward the email to email@example.com.
Tax scams that happen via telephone call or text message often have common characteristics that you can look out for to identify a fake, including:
- Fake names and IRS badge numbers. Look out for common names and surnames.
- Scammers may know the last four digits of your Social Security Number.
- The IRS toll-free telephone number can be spoofed on caller ID.
- Telephone scammers may follow up with an email containing a link to a fraudulent website that is often malware-infected.
- Background noise that sounds like a call center.
- Scammers may threaten victims with jail time or driver's license revocation, then hang up and call back claiming to be the local police or DMV while also spoofing the numbers of these departments on caller ID.
- Foreign language use and claims that the call is from a foreign embassy investigating tax non-payment.
For more information, see the IRS' resources on identity theft prevention and detection.
Verify Schedule K-1 and W-2 Form Requests
We urge caution when responding to requests from purported investors, clients, employees, or tax advisers for K-1 or W-2 forms, as these requests may be fraudulent. Be sure to password-encrypt K-1, W-2, and 1099 documents when sending them to individuals, and do not distribute the password via email. We recommend that you use password-protected portals for transferring such documents.
Use a Shredder
“Dumpster diving” is more common than most believe. We strongly recommend that you use a modern, cross-cut shredder to dispose of sensitive documents that contain personal data, including any disposed tax forms.
Fraudulent charities have become common, and attackers use breached email boxes to send support requests for these charities to victims. Before providing a credit card or payment to a charity, validate whether the charity is legitimate.
We urge you to share this information with family, friends, colleagues, and staff. If you or someone you know has been the victim of identity theft or a fraudulent wire transaction, reach out to your local police department and/or the FBI for assistance. If you have any questions, please contact your ACA Aponix consultant or email us at firstname.lastname@example.org.
About the Author
Raj Bakhru, CISSP, is a Partner at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. ACA Aponix provides cybersecurity and technology risk assessments, vendor and M&A diligence services, network testing, and advisory services. Prior to ACA’s acquisition of the firm, Raj was Chief Executive Officer of Aponix Financial Technologists, which he cofounded. Before that, he led firm-wide software development and was part of the founding team at Kepos Capital, now a $2 billion global macro quantitative asset manager. Prior to Kepos, Raj served as a Vice President at Highbridge Capital, where he led the team building the firm’s proprietary order and execution management system. In addition, he previously worked on research and cross-asset-class algorithmic trading algorithms and software systems at Goldman Sachs Asset Management’s quantitative hedge funds.
Raj earned his BS in Computer Engineering from Columbia University and has received his CFA charter and his CISSP designation. In the course of his career, he has been frequently quoted in Ignites, HFMWeek, MarketWatch, The Cybersecurity Law Report, and other industry-leading publications on information security in financial services.