I went to buy a bed with my sister the other day and the salesman was chatting away telling us how he couldn’t get his state refund because someone had stolen his identity and collected his refund.  

This issue is not new and all of us in Security Risk have heard of these scams.  Here is some information I collected to help others from not falling into this trap.  Clearly, your refund is at risk whether it comes in the good old fashion mail or if you e-file.

A tax preparer was accused of swindling close to $2 million in refunds through his tax preparation business.  Colleagues of Diego Rojas say he took advantage of people who were new to this country. U.S. Marshals arrested Rojas and he has been locked up since.  Just as egregious is the former postal worker that pleaded guilty to stealing income tax refund checks worth more than $443,000 from people along his New Jersey mail route.  He delivered mail in Pennsauken. Prosecutors say he admitted stealing 72 U.S. Department of the Treasury checks totaling $443,000 and giving them to other people, who weren't named in court documents. Fishman says those people paid Champagne $50 per stolen check in 2014. Each charge carries a maximum penalty of 15 years in prison.  Was it worth it?

“It’s important to realize that tax documents contain a plethora of personally identifiable information (PII) about people, such as wage information, Social Security numbers, home addresses, and place of employment.

Once these documents are obtained, the criminals would have everything they need to perform tax refund fraud; effectively stealing tax refunds owed to others. Because these documents contain a so much information, they can help the scammers commit identity fraud in addition to tax refund fraud.

Examples of phishing emails to be on the lookout for:

  • Fake IRS and TurboTax emails claiming the recipient’s tax refund is restricted or their account has been locked
  • Fake IRS-branded emails asking the recipient to update their tax filing information
  • Fake email claims saying a tax payment was deducted and includes a “receipt”
  • Fake email from the IRS seeking proof of identity documents because “You are eligible to receive a refund”
  • W2 phishing emails targeting employees”


Norton Community Advice

“With the IRS’s due date of April 18th looming overhead, fraudsters are rapidly trying to cash in on tax refunds. Over the past two weeks, we’ve seen an increase of BEC (business email compromise) fraudster scams involving requests for employee’s W2 taxpayer information. In this scam, the scammer pretends to be a member of upper management, and targets a more junior member of the organization. The phishing email requests that the target send employees’ W2 forms for inspection.

It’s important to realize that these documents contain tax and wage information for employees as well as their social security number, home address and employment location. Once these documents are obtained, the criminals would have everything they need to perform tax refund fraud; effectively stealing tax refunds owed to workers. In addition to tax refund fraud, these documents contain a plethora of information that can help the scammer commit identity fraud as well.

This group sends emails from what appear to be stolen email accounts and match the compromised domain. A different “Reply-to” address is set in the email so that when a victim replies, the reply goes to an account under the attackers’ control, and not to the address it appears to have originated from. In the past 12 days, this group has used at least eight stolen domains for sending emails and has sent over 600 emails to victims.

For W2 fraud, these are some of the email subjects we are seeing:

Subject: Request For All Employees W2s
Subject: Request For All Employees W2s, Monday 29th February, 2016

In addition, employees should keep the following tips top of mind:

  • Be cautious of links and attachments in emails from senders you don’t recognize or are requesting actions that seem unusual or don’t follow normal procedures. Avoid providing personal information when answering an email, unsolicited phone call, text message or instant message.
  • Additionally, do not reply to any emails that seem suspicious. Obtain the sender’s address from the corporate address book and ask them about the message.
  • Never enter personal information in a pop-up web page or anywhere else that you did not initiate.
  • Keep security software and all other software programs updated.
  • Report security warnings from your Internet security software to IT immediately, chances are, they aren’t aware of all threats that occur.”


IRS Advice-How Do You Know It’s a Scam? 

“There are different forms of phishing tactics. Criminals may try to trick you into giving away your personal information via emails, Social Media messages, IMs, text messages, and even Internet chat rooms. Sometimes criminals may try to fool you into installing a malicious program, known as spyware, which can track and record the information you enter into your computer. Below are some of the commonly used tactics and warning signs you should be on the lookout for:

  • Phishers, pretending to be legitimate companies, may use email to request personal information and direct recipients to respond through malicious websites. Phishers have been known to use real company logos, and will also use a spoofed email address, which is an email address that is like the actual company’s address. However, the address may be misspelled slightly or come from a spoofed domain.
  • Emails may come in the form of a help desk support ticket, a message from your bank, or from someone soliciting money via a 419 scam.
  • Phishers tend to use a call to action. You may get a notice that an account is being shut down and you need to log into it to avoid that from happening. They may also request personal information to verify your identity.
  • Phishing websites can look remarkably like legitimate sites because they tend to use the copyrighted images the original sites.
  • Fraudulent messages are often not personalized and will often have misspellings of words and company names.

These telephone scams are being seen in every part of the country, and we urge people not to be deceived by these threatening phone calls,” IRS Commissioner John Koskinen said. “We have formal processes in place for people with tax issues. The IRS respects taxpayer rights, and these angry, shake-down calls are not how we do business.”

The IRS reminds people that they can know pretty easily when a supposed IRS caller is a fake. Here are five things the scammers often do but the IRS will not do. Any one of these five things is a tell-tale sign of a scam. The IRS will never:

  1. Call to demand immediate payment, nor will we call about taxes owed without first having mailed you a bill..
  2. Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  3. Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  4. Ask for credit or debit card numbers over the phone.
  5. Threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.

If you get a phone call from someone claiming to be from the IRS and asking for money, here’s what you should do:

  • If you know you owe taxes or think you might owe, call the IRS at 1.800.829.1040. The IRS workers can help you with a payment issue.
  • If you know you don’t owe taxes or have no reason to believe that you do, report the incident to the Treasury Inspector General for Tax Administration (TIGTA) at 1.800.366.4484 or at www.tigta.gov.
  • You can file a complaint using the FTC Complaint Assistant; choose “Other” and then “Impostor Scams.” If the complaint involves someone impersonating the IRS, include the words “IRS Telephone Scam” in the notes.  [See update at top of page.]

Remember, too, the IRS does not use unsolicited email, text messages or any social media to discuss your personal tax issue. For more information on reporting tax scams, go to www.irs.gov and type “scam” in the search box.”