It’s like clockwork. An opportunity arises — be it tax season, an election year, a natural disaster, year-end or other time of uncertainty or vulnerability — and the scammers go wild.
Using email, text, phone calls and other tactics, criminals hit the digital pavement, manipulating employers and employees to relinquish money, pay for fraudulent or unnecessary services, hand over sensitive personal or business data or take other actions that could result in legal trouble and financial loss.
While some of these scams are easy to spot, cyber criminals are increasingly sophisticated in their attacks. Knowing what to look for and how to respond is instrumental in keeping every single taxpayer safe — businesses and employees alike.
Popular cyber scams
Each year, the IRS releases its Dirty Dozen list, highlighting the most prevalent taxpayer-targeted scams. While this list isn’t exhaustive, it offers a valuable overview of the types of scams you and your employees should be on the lookout for.
Here’s an overview of what’s on the IRS’s most recent list:
- Phishing and smishing scams: Emails and texts claiming to be from the IRS that encourage taxpayers to click suspicious links, download malware files and share sensitive data, such as passwords, Social Security numbers, bank information and more.
- Employee Retention Credit (ERC) schemes: Dishonest service providers and impersonators may still be making false claims about ERC and refund eligibility. Although these schemes have slowed down since the IRS officially stopped processing ERC claims, it’s important to stay cautious and ensure you are only getting information from a trusted source.
- “Helpful” online account setup: Fraudulent service providers are offering to help taxpayers set up IRS accounts with the goal of gaining unauthorized access to tax and financial information that can be used to commit identity theft.
- False Fuel Tax Credit claims: Promoters and return preparers are misleading taxpayers into believing they are eligible for a Fuel Tax Credit when they are not, putting taxpayers at risk while collecting fees for themselves.
- Compromise “mills” for IRS debt resolution: Companies promising they can reduce taxpayer debts at a discount are charging high prices for services that are unnecessary or easily accessible through free IRS resources like the OIC Pre-Qualifier tool.
- Fake charities: Fraudulent organizations are posing as legitimate charities to solicit donations and gain access to personal information. These schemes are particularly active after major disasters and during high-giving seasons. Before making a contribution, always verify a charity's legitimacy using resources like the IRS’s Tax Exemption Organization Search tool.
- “Ghost” tax preparers: Unlicensed preparers are filing incomplete or false returns, disappearing with taxpayer refunds or charging high fees for their fraudulent services.
- Tax advice on social media: Scammers are using social media to spread false tax advice, often swindling taxpayers into paying for unnecessary or fraudulent services and activities.
- Spearphishing and new client scams: Scammers pose as prospective clients, often using fake email addresses to impersonate real taxpayers in an attempt to access a tax professional’s client data or systems.
- High-income target scams: Scammers are targeting wealthy individuals with aggressive tax-reduction schemes, some involving art donation deductions, charitable remainder trusts (CRATs) and monetized installment sales.
- Schemes involving international elements: Scammers are attempting to lure U.S. taxpayers into tax-evasion activities involving international elements, such as illegally placing assets in offshore accounts, foreign individual retirement arrangements, digital currencies and more.
- Bogus tax avoidance strategies: Related to number 11 above, promoters are also selling tax-avoidance strategies related to conservation easement contributions, micro-captive insurance arrangements and more.
Tips to safeguard against cyber scams
There’s no surefire way to avoid cyber attacks, but there are important precautionary steps you and your employees can take to protect against active, new and future scams. Here are a few tips to get you started:
- Scrutinize emails: Stay vigilant when it comes to your inbox. Look at actual email addresses, not just display names. If it’s an email address you don’t recognize, this should raise a red flag. Report any suspicious activity directly to your IT department. They should investigate the potential scam and report any suspicious communications to the IRS.
- Hover over hyperlinks: Whenever you receive an email with a hyperlink, always hover your cursor over it to view the actual URL. By doing this, you can confirm the URL is actually related to the company it purports to be from and that it’s secure. To ensure the url is secure, look for the "s" in the https portion of the URL (versus an http url without the "s").
- Think before you click: If you overlook the actual email address (which is easy enough to do), the content of the email can be the next best indicator that something’s amiss. Never click on a link or attachment included in an email, especially if it’s requesting login information. Sensitive personal information should never be sent over email. Instead, go directly to the source. Directly contact the sender or a trusted source like your HR team to confirm it’s a legitimate request.
- Stay informed: Make sure you are in the know about active and emerging cyber scams by following news updates from the IRS and FBI. Also, make sure security is paramount throughout your organization, and everyone is informed of scams that could impact them. If the right precautions are put in place and you’re able to establish a security-first culture, you’ll be in a much better, more informed position.
- Be on high-alert during vulnerable periods: Whether it’s year-end, holiday shopping season or any other busy or vulnerable time, scammers are ready and eager to strike. Knowing which scams are popular during certain times of the year can help. But take this one step further and make vigilance a group endeavor by holding “cyber security huddles” and appointing “security captains” to head up communications during scam-prone times.
- Use multifactor authentication: Multifactor authentication adds an extra layer of security by requiring users to provide two or more forms of identity verification before they’re able to log in to a system. This way, even if a hacker obtains a user’s password, the scammer will need another unique identifier to access the account.
- Use strong passwords: While multifactor authentication is helpful in reducing security threats, it is also important to have strong passwords to begin with. As discussed in another B2E blog, passwords should ideally have at least 15 characters and contain a combination of letters (uppercase and lowercase), phrases, numbers and symbols. Do not use the same passwords for every account. Also, instead of using default or temporary passwords that come with accounts or devices (including printers), create your own. To make managing and remembering a high volume of unique passwords easier, consider using a password manager.
- Keep current on security updates: Security patches are regularly released for all devices and popular web browsers. Remember how critical these are. It’s easy to ignore the frequent messages about security updates, but they’re important. They’re released to fix inevitable security loopholes that scammers can exploit, and should be downloaded and installed as soon as they are available.
- Leverage anti-phishing software: Anti-phishing software can help detect and block malicious content contained in emails and websites by alerting the user of suspicious activity. Many web browsers integrate this software with a toolbar that displays actual domain names, which helps users identify fraudulent websites that are mimicking legitimate ones. Because this software is often integrated with web browsers, it’s especially important that you also keep browsers up-to-date.
- Monitor changes to bank information: From time to time, employees will need to change their direct deposit information. To ensure this is done safely and securely, it’s always a good idea to verify directly with an employee if they are changing their bank information. If you receive a direct deposit change request via email, give the employee a call to confirm the request came from them.
- Secure wireless networks: If your wireless network isn't secure, cybercriminals could be stealing your data without you even knowing it. Follow these steps to protect your wireless network:
- Change the default password of your wireless router and follow the strong password guidelines in number seven above.
- Reduce the wireless range (or power), so you're only broadcasting as far as needed. To do this, log in to your router's WLAN settings and lower the Transmit (TX) power, which is likely under an "advanced settings" option.
- Do not name your router something that's personally identifying, such as the name of your company. Also, disable the service set identifier (SSID) broadcast so it can't be seen by anyone who doesn't need to use your network.
- Do not use wired-equivalent privacy (WEP) to connect your computers to the router, as this is not secure.
- Do not use public Wi-Fi at coffee shops and airports when accessing business email or sensitive documents.
Security with HR and payroll technologies
It goes without saying that the human capital management (HCM) technology you use to manage your payroll and HR needs to be secure. After all, this is a technology that houses a lot of sensitive business and employee data, including Social Security numbers, birth dates, addresses, tax information, benefit details, healthcare documentation, financial information and more.
Whether you’re evaluating a new HCM technology or making sure your existing solution is secure, you need to know what to look for. Here are a few important security-related checkpoints that every system should have in place:
- Meets the American Institute of Certified Public Accountants SOC1 Type II and AT101 SOC 2 Type II criteria for security, availability and confidentiality
- Undergoes regular audits by a reputable, third-party firm
- Meets EU/US Privacy Shield Framework criteria
- Utilizes redundancy and regular backups, so data is never lost in the case of a server or system failure
- Data encryption and secure transmission
- Secure login requirements
- Password storage that utilizes modern hashing algorithms
- Use firewalls, antivirus software, routine security maintenance with regular patching and have security protocols and escalation processes in place.
To learn about the world-class infrastructure, security and support that comes with our HCM solution, UKG Ready, download our handy resource today.