What you need to know about tax identity theft this tax season
Welcome to your March 2018 Savvy Cybersecurity newsletter. As we enter tax season, it’s important to be aware of the tax identity-theft scams targeting the public this year. We’ll cover that more in-depth in this newsletter as well as:
- How the Equifax breach was worse than originally reported
- A new threat to your MySSA.gov account
- What your Smart TV knows about you
- And much more
But first, let’s cover the biggest threat this month: tax identity theft.
What you need to know about tax identity theft this tax season
Tax identity theft has been a massive threat for years. Recently, however, the IRS has made progress on catching fraudulent tax returns before money is paid out. Last year, the IRS stopped $4 billion in fraudulent tax returns. This year, it may be a different story.
Experts worry that this tax season could bring more fraud than we’ve seen in recent years. The reason? The Equifax breach exposed 143 million consumer’s Social Security numbers and other personal data. That other personal data was just discovered by Congress to include tax identification numbers.
The amount of personal data exposed makes it easy for tax identity thieves to file fraudulent tax returns in your name, collecting your tax refund check for themselves. The best way to protect yourself from this threat is to file your taxes as early as possible—before the thief has time to file in your name.
If a tax return has already been filed with your information, the IRS will alert you. If you file your taxes online, you will be notified right away. If you send your documents in through the mail, you will receive notice via a mailed letter. If someone has filed in your name, be sure to alert the IRS of the fraud immediately by filling out Form 14039.
But it’s important to be on the lookout for other tax scams as well. The IRS is already reporting on a multitude of scams this season. For example, in one scam a fraudulent tax return is filed in the victim’s name and the check is deposited in their account. The victim is then contacted by a thief posing as a debt collector who informs them that the deposit was a mistake and the funds must be paid back immediately.
Scammers claim to be calling from a company called DebtCredit and have created a realistic-looking website that they direct victims to visit. The website includes a video that explains the frequency of mistake payments from the IRS and references personal information of the victim such as Social Security number and bank routing information. The webpage also shows details of the debt collector, including a photo, name, telephone number, and email address.
This scam, in particular, is believed to have begun with phishing messages targeting tax preparers’ offices. Experts believe that malware was loaded onto tax preparers’ computers and was designed to steal information saved on the device.
It’s important for tax preparers and individuals keep an eye out for scams over the next few months. Remember that the IRS will only contact you via mail about an issue. If you receive a call or an email and you are unsure, hang up and call the IRS directly to inquire.
Emerging threat: Social Security benefits stolen by thieves
Security expert Brian Krebs reported on a new trend this month that involves a couple’s Social Security benefit being stolen by a hacker. The couple had created an account online with the Social Security Administration but were delaying collecting their benefit. The wife then received written notice she had successfully signed up for benefits and that $11,000 would be transferred out of her SSA account. But she never requested this. It was later discovered that a thief had impersonated the woman by calling the SSA and signing up to receive her benefits. Creating an account at MySSA.gov is important, as it prevents others from opening an account in your name. However, as this story illustrates, you must continue to check your account regularly to protect your benefit.
Equifax breach exposed more than originally reported, according to documents seen by the Senate Banking Committee. In addition to names, Social Security numbers, addresses, and birth dates, it is now believed that credit card information and driver’s license numbers were breached as well. An Equifax spokeswoman says that consumers will be notified by mail if their credit card information was exposed.
Chase online banking glitch allowed some to view other customer’s bank account details for nearly three hours. Chase is not sure what caused the issue but confirms that it was a problem with its system and not caused by a malicious third party. If you have a Chase bank or credit card account, be sure to check your statement carefully to be sure that no money has been moved.
Grammarly browser extension flaw exposed all of users’ data. The software, installed on users’ browsers, checks users’ writing for spelling, grammar, and punctuation as they type. Google Project Zero discovered and alerted Grammarly to a flaw which potentially allowed hackers to access everything a user typed. Grammarly quickly closed the vulnerability. Users should update the extension as soon as possible.
The Consumer Financial Protection Bureau has scaled back its investigation into the massive Equifax breach. Mick Mulvaney, the new head of the bureau has not ordered subpoenas against the credit reporting agency, according to sources. Equifax is, however, under investigation by every state general attorney as well as the Federal Trade Commission after exposing the data of over 140 million consumers.
Your Smart TV may be opening your home to hackers. A new report by Consumer Reports discovered that Smart TVs expose more information than consumers realize while having poor security. Consumer Reports took a close look at Samsung, LG, Sony, TCL, and Vizio TVs and found that all were tracking consumers watching behavior. Experts say you can opt out of being tracked in your TV’s settings. Samsung and Roku TVs failed basic security tests—allowing hackers to take control of the TV by changing channels, increasing volume, and playing videos from YouTube.
Over 400,000 Americans were not notified about criminals using their Social Security number to get a job due to an IRS programming error. The error caused only new victims of this strain of identity theft to be alerted while those who had been victims in the past were not notified if their Social Security number was fraudulently used again. The IRS plans to notify these victims going forward.
Tech support scam hitting Google Chrome users at a high level, according to Malwarebytes. Google Chrome users (even those running the most up-to-date version of the browser) should be aware of browser alert scams that ask for credit card information for help from fraudulent tech support desks. Consumers should remember that companies do not usually reach out to you regarding tech support.
Malware attacks the Olympic opening ceremony. Being called “Olympic Destroyer,” the malicious software shut down Wi-Fi, TV monitors, and the Olympic website prior to the opening ceremonies. Experts believe the attacks originated from Russia as a response to the team’s doping ban. Interestingly, experts also say that the attacks had the ability to do much more damage, but it appears as though the hackers did not fully go through with the attack.
Identity theft monitoring services are not using the best security to protect your accounts. Many of these companies, including LifeLock, do not use two-factor authentication technology on user accounts. Two-factor authentication is a technology used during the log-in process. After entering your username and password, a one-time code will be sent to your phone via text message. You must enter this code on the log-in page to access your account. These companies hold all of your personal information, so if a hacker learns your username and password, they can steal your data by logging in as you. Two-factor authentication would prevent this, as they would not be able to access your one-time code. It’s also important to remember that these services do not offer the best protection for your identity. A credit freeze is much more effective.
Nearly half of all small businesses have been hacked, according to a new poll from CNBC. And more often than not, these hacks occur because of employee mistakes. For example, many employers do not require basic security features like two-factor authentication on email accounts. Other cybersecurity issues affecting small businesses are phishing emails, weak passwords, and a lack of data backup files.
Adobe: As usual, Adobe released a patch for Adobe Flash Player after hackers started exploiting multiple vulnerabilities. Adobe is phasing out Flash Player and it will no longer be supported come 2020. If you do not use Flash, remove it from your devices and browsers. If you need Flash, be sure you are running version 126.96.36.199. Additionally, Adobe released an update for Adobe Acrobat Reader which closes nearly 40 different vulnerabilities. You can learn more here.
Microsoft: Microsoft released updates closing over 50 security holes in Windows, Internet Explorer, Edge, Outlook, and Microsoft Office this month. Some of the vulnerabilities can allow hackers to gain access to your network through malicious links or code. Your device should prompt you to update automatically but you can learn more about the updates here.