Tax season has begun, and it typically comes with a big uptick in tax-related scams.
There were nearly 7.8 million reports of suspicious activities in 2022, according to a recent report from the Identity Theft Tax Refund Fraud Information Sharing Mission & Analysis Center, a partnership between the IRS, companies and states.
The tax scamming is taking place during an environment of rising fraud across the nation. U.S. consumers lost more than $5.8 billion to fraud in 2021, a 70% increase from the year before, according to the Federal Trade Commission.
With online filing now the norm — the IRS said 92% of tax returns last year were filed electronically — cybersecurity is more important now than ever.
Popular tax filing platforms such as TurboTax, H&R Block and TaxAct invest in security and have to follow regulatory requirements around it. The big tax prep companies in the U.S. have to go through a compliance and audit process to be able to store data, said Nicholas Donarski, chief technology officer and co-founder of blockchain technology firm ORE System. He added this should lead tax filers to make sure they pick a reputable tax platform, and “not just the cheapest one.”
But just because tax filing platforms implement security measures doesn’t mean its users are off the hook when it comes to personal cybersecurity best practices.
“The biggest issue isn’t so much on the security program of providers as it is we humans as users of those platforms,” said Lisa Paggemier, executive director at the National Cybersecurity Alliance.
Here are steps consumers can take to protect themselves.
Use secure passwords and multi-factor authentication
Despite all the warnings about using secure passwords (tip: don’t use the name of a pet) and using different passwords for every website, few people actually do this.
Cybersecurity experts suggest using a password manager that stores account credentials. Despite recent headlines about some big password managers having their customer data hacked, using such an application is “still the most secure, so long as you secure that as well with multi-factor authentication,” Paggemier said.
Multi-factor authentication requires users to prove their identity in two ways, usually through a password as well as a one-time code sent to their phone or email, or a fingerprint. While TurboTax, TaxAct and H&R Block all offer multi-factor authentication and advise users to layer on this added cyber protection, it’s not required.
“This is an important step to help secure your online account from identity thieves,” said Kathy Pickering, chief tax officer at H&R Block. “Providing your mobile phone to do this is better than providing your email because it’s more secure and may be faster.”
File taxes promptly, before someone impersonates you
It’s understandable to procrastinate when faced with a dreaded task like filing taxes, but Paggemier said being prompt can help ward off potential fraud. The sooner you file, the “less time you give the bad guy to file on your behalf,” she said.
Tax filing fraud is similar to the many unemployment scams during the pandemic when scammers filed in other people’s names to steal benefits. With tax returns, scammers file a false return with fraudulent data and collect the refund.
TaxAct has built in an extra layer of security into its platform around Social Security numbers, which will notify users in case someone has already entered the same number. It also flags mistakes that legitimate users make when entering their Social Security number.
“It helps to either identify typos in your SSN that could delay your refund or alert you to possible preexisting identity theft,” said Mark Jaeger, vice president of tax development at TaxAct.
TaxAct said its platform will notify customers in case another return was filed using the same Social Security number, even if the initial filing was through a different software provider.
Another layer of protection is to get an identity protection PIN, which prevents someone else from filing a tax return using your Social Security number or individual taxpayer identification number.
The IRS sends a new IP PIN to victims of tax-related theft every year. This year, the agency has opened up the process, allowing anyone with a Social Security number or individual taxpayer identification number who can verify their identity to enroll in the program by filling out an application online.
Be alert for scam emails, texts and calls
Scam emails and texts occur year-round but tend to accelerate during tax season. Scammers may pose as IRS agents, tax preparation companies and other parties, the IRS has warned.
“You see an increase in the number of attacks … they use that emotional response, that fear that we call it in the industry FUD — fear, uncertainty and doubt,” Donarski said.
One twist this year: the arrival of ChatGPT, which could make scam messages harder to detect. Poor spelling or grammar and funky fonts or graphics have been common giveaways in past years, but the use of artificial intelligence like ChatGPT can change that factor.
Cybersecurity experts said the advice is still the same to ward off fraudsters: Don’t click on any links. If there’s any doubt, go to a site you know to be legit to check your tax filing, bank or credit card account, or call the official number listed on the back of a card or the official website.
Keatron Evans, principal cybersecurity advisor at Infosec, noted a recent increase in scam calls claiming to be from a tax provider, alerting victims that they’ve noticed a problem and should go to a website to download a plug-in. “People are now desensitized … so they feel like if they’re talking to a person, telling them to go click on a URL or something like that it’s probably more legit, when it absolutely is not.”
Phone scammers also frequently impersonate IRS agents, scaring victims by demanding immediate payment using prepaid debit cards, gift cards or wire transfer and threatening to bring in local police. The IRS has issued warnings about this scam and recommends that victims report it to the Treasury Department’s Inspector General using an online form or calling the agency, or reporting it to the IRS by email with “IRS Phone Scam” in the subject line.
Install tax prep software updates
Just as tax prep platforms need to ensure the security of data while in transit and when storing it, users should too by securing their home network and computer. Computers running on old software are more vulnerable to attacks.
“A lot of times, these software are vulnerable to attack and exploitation because bad guys know that at this time of year people are going to have these things installed on their computers. So they target them for vulnerabilities,” Evans said. To minimize this risk, install software updates for tax prep software or plug-ins as soon as they are available. That also goes for other software updates, such as the operating system or browser.
Secure Wi-Fi passwords can also help ensure security of the home network, in addition to making sure antivirus software is installed and up to date. For anyone who needs to use a public network for their taxes or any other sensitive information, cybersecurity experts advise using a virtual private network, or VPN.
Vet your accountant’s cybersecurity practices
Not all electronic tax filings are done through well-known tax platforms, with many filers working with accountants or accounting firms. Increasingly, tax professionals are also targeted by scammers. Cybersecurity experts said you should ask some questions about how the accountant is storing and backing up data, how they are securing it or encrypting the data, and how the office is secured.
“If you’re dropping tax documents into Google Docs or Google Drive or something like that, I would probably question where the storage is,” Donarski said since these files are not encrypted.
Accountants and accounting firms should be asking clients to upload to a secure platform or to use something like an Adobe- or Microsoft-encrypted file-transfer system. And with home offices more common, don’t hesitate to ask tax preparers about how they’re securing their home Wi-Fi network or if they use a VPN.
“You have to be your own champion when it comes to your privacy and your security,” Donarski said.