PhotoHere we are at tax season’s eleventh hour. If you haven’t filed your taxes yet, and you’re thinking about doing it using tax preparation software, heads up! Five minutes of your time to read up on the tax prep scams that RiskIQ has uncovered may prove to be a smart investment.

With 90 percent of Internal Revenue Service (IRS) returns prepared electronically, it’s a feast cyber scammers are licking their chops to pounce on.

“This scam is targeting tax professionals and firms, attempting to steal highly sensitive client information, and, frankly, it’s not surprising,” RiskIQ threat researcher Jordan Herman told ConsumerAffairs. “Cybercriminals very often leverage holidays, events, and other important dates in their threat campaigns, so it makes perfect sense that a group is capitalizing on the tax deadline coming up.”

To get their hands on tax filer’s data, Jordan says attackers are using the brand names of leading accounting firms and tax filing software to exploit consumers by creating fake mobile apps and landing pages.

“These facades fool consumers into downloading malware, using compromised sites, or giving up their login credentials and credit card information,” commented Jordan.

The findings

To get to the underbelly of how scammers work, RiskIQ went on a rather robust fishing expedition. It ran an analysis of sites in its Global Blacklist database against 2 billion site requests made by consumers, 40 million phone apps, and 600 million domain records looking for keywords related to the IRS and brand names of the major tax filing software companies.

“The findings confirmed that threat actors are using these well-known brands specifically to exploit tax season via both web and mobile,” Herman said.

Thanks to digital providers like Google tightening up its security features, cyber muggers are also having to change their game to pierce the veil of data security. RiskIQ says those scammers are pretty good at that game, too.

“Savvy threat actors will use convincing branding, language, and URLs to make phishing attempts more realistic and more difficult for users to quickly determine the email’s authenticity,” Jordan said.

“However, most brands have very little insight into how their branding is being used in threat campaigns across digital channels. This is a very bad thing because even though the legitimate brands, like the tax software providers in this instance, have nothing to do with the threat campaigns, many customers will still blame them. In general, people tend to directly associate the legitimate brands with the bad things that happen to them via the fraudulent use of their branded terms, seriously eroding trust."

How bad is this? In its analysis, RiskIQ found 1,235 instances of phishing attempts targeting online tax filers and 468 Blacklisted URLs. For one of the most common e-filing services, it found close to 20,000 instances of domain infringement targeting that platform.

How can you protect yourself while filing your taxes online? Here are RiskIQ’s best suggestions:

  • Protect and secure any physical device on which you are preparing taxes with firewalls, anti-virus software, and anti-spyware software.

  • Use a trusted Wi-Fi network or VPN to file your taxes -- never use public Wi-Fi.

  • Before filing your taxes, answer these four questions:

    • Who owns the site?

    • Are they reputable?

    • How long has it been around?

    • Did I ask to be sent here?

Mobile analysis

The major plus for “official” tax filing mobile apps is that they’re incredibly secure -- there’s no way to store data on a consumer’s phone, and there’s added built-in security with tools like password protection, multi-factor authentication, and Touch ID account authentication.

That said, the cesspool of fake mobile apps pretending to be one of the brand name tax filing services is large -- 30 percent of the apps RiskIQ tested -- and alluring enough to trick consumers into downloading them. Once on a consumer’s phone, the fake apps have the potential to steal sensitive data or contaminate a user’s phone with malware or aggravating adware.

Scam app developers know no limits. What looks like something that came from H&R Block may have in reality come from some software snake in Siberia.

RiskIQ’s red flags for consumers to be on the lookout for are:

  • No developer listed for the app

  • The app came from someplace other than the official Google Play or the Apple AppStore

  • The app requires many permissions that are intrusive and have nothing to do with the purported functionality of the app such as the ability to access the camera, record audio, download data without notification, and change settings.

“Essentially, this (kind of) app can spy on everything a user does, even if they are not actively using their phone, change any setting on their phone, and download anything it wants without the user's knowledge,” Herman said.

As vexing as that appears, there are some avenues consumers can take to keep from being victimized by a fake app:

  • Be wary of applications that ask for suspicious permissions, like access to contacts, text messages, administrative features, stored passwords, or credit card info.

  • Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can merely indicate a threat actor was successful in fooling a lot of victims. Before downloading an app, be sure to take a look at the developer -- if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation.

  • Make sure to take an in-depth look at each app. New developers, or developers that leverage free email services (e.g., @gmail) for their developer contact, can be big red flags—threat actors often use these services to produce mass amounts of malicious apps in a short period. Also, poor grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.

Don’t be fooled by fake IRS contacts

If and when the IRS needs to contact a taxpayer, it normally makes the first contact by letter delivered by the U.S. Postal Service and not by email or phone; the agency does not send text messages or ping you on social media.

ConsumerAffairs recently wrote a thorough examination of what the IRS does and doesn’t do. If you haven’t filed your taxes yet, it might be worth your time to check it out.


Share your Comments