The days are getting longer and warmer, the birds are slowly returning, and flowers are in bloom. Spring has finally arrived and so has the 2022 tax season. While it might be the season of new beginnings, some old habits die hard and identity fraud is no exception.
A common occurrence close to the tax season is bad actors filing a tax return on a victim’s behalf. In any other instance, this might seem like a good thing, but filing your taxes only to get a response from the IRS saying your taxes have already been filed means that you’ve been a successful victim of identity fraud. These threat actors can then cash in on your hard-earned tax return for themselves, holding onto your details for potential further use.
Worryingly, it’s not difficult for a tax return to be filed in your name. All a threat actor needs in order to be successful is your personal tax identification number or your social security number. They then file the report with your stolen details and re-route any payments due to another bank account. The victim is only made aware when they go to file their returns only to find out it’s already been done, and by then it’s too late.
The easiest way to get this data and information is to harvest it online through an array of tactics. More often than not, it’s small businesses and individuals who get targeted in identity fraud attacks because cybersecurity is either lacking or non-existent.
Tax-related fraud is also a concerning issue that is on the rise. The FTC Consumer Sentinel Network reported that in Q1 and Q2 (which is peak tax season, there’s a trend here) there were nearly 80,100 instances of employment for tax related fraud. This is up from 62,935 in the same period in 2017.
With all this in mind, securing your details is the best line of defense in the face of attackers looking to steal your data – and subsequently your hard-earned finances.
Anti-Phishing Solutions
One of the most common ways to harvest sensitive credentials used in tax-related identity fraud is through phishing tactics. It’s incredibly popular with attackers due to how easy and cheap it is to orchestrate a phishing scam, usually not relying too much on expensive or complicated tech to operate.
Phishing, essentially, is where an attacker will send communications to an individual (either en masse or in a more targeted fashion), posing as a trusted figure or organization. These messages will often contain malicious links or malware-infected files that, once clicked, can either steal data or install malware on a device. Details can be harvested through a range of tactics, but a common phishing email technique during tax season is attackers posing as the IRS, asking for details, and requesting individuals to file a tax return through web channels, with links to malicious websites provided.
Attackers go to great lengths to make these communications seem genuine. Socially engineered tactics don’t require any tech involved, rather just focusing on subtly making a message appear genuine from a trusted figure or organization to entice users to click on any links or attachments or respond to the email with any pertinent information. These emails are often accompanied with tones of urgency, to trick the recipient into acting without thinking.
Other techniques are a bit more involved, such as spoofing, which uses tech to make an email appear genuine. Attackers will “spoof” the header of an email – the thing that tells a recipient who an email is from, making it appear genuine. only admins can determine whether an email is spoofed, making it impossible for end-users to spot these threats on their own.
Deploying anti-phishing solutions for email communications and other forms of channels is a strong solution in preventing a potential data breach that could see a fraudulent tax return filed on individuals’ behalf, as well as training staff to spot socially engineered threats when they appear in their inbox.
Securing Your Devices
Every device – be it desktop, laptop, mobile device, and so on – is a potential attack vector for an attacker to take advantage of to steal your credentials to be used for tax fraud. Securing your devices against these eventualities is a crucial step in ensuring that this doesn’t happen. There are several ways to do so, with the chance to use one solution or a blend of solutions for maximum security and peace of mind.
Multi-Factor Authentication
Multi-Factor authentication (MFA) is a security solution that protects user accounts and apps by adding an additional barrier to the login process. While traditional, single authentication processes just involve a single set of credentials like a username and password, MFA will incorporate this and one or more methods of authentication to make sure the user logging in is really who they say they are.
These additional authentication steps usually involve providing information that is either difficult or impossible to get, such as:
- Something you know: This is quite commonly an extra security question, like “What hospital were you born in?” or “Who was your favorite teacher in high school?”
- Something you have: Users will have to verify their identity through entering something they have, such as a one-time code from an authenticator app on their phone or with a special fob issued by their IT department.
- Something you are: This is often biometric based, such as a face or fingerprint scan which is usually done with a secondary device like a mobile phone.
MFA solutions can use one of these in addition to standard credentials, but with data breaches and hacking on the rise, using two or more from this list is becoming increasingly the norm.
While large scale solutions tend to dominate the market, individuals can still implement MFA solutions. Some vendors offer pricing plans based on how many users need the solution, starting from one user. PingIdentity is one such vendor that offers tailored solutions for individuals. Their PingIdentity for Individuals platform includes MFA solutions, as well as other identity-securing software.
Password Managers
Weak password management and poor password hygiene are often significant culprits when it comes to data breaches and subsequent identity fraud scams. It’s tempting to re-use old passwords or favor passwords that are simple because they’re easy to remember, but these practices create a huge risk with your accounts and subsequent sensitive information being potentially compromised.
The answer to this issue is having individual passwords for each account and application that are not just unique but complex too. They need to be long and unpredictable, with a mix of letters, numbers, and special characters, making them impossible to guess and hard to decrypt. It’s also wise to make sure they’re not stored anywhere unsafe, which includes computer files that can be easily accessed or on scraps of paper that can be taken, which creates another problem in and of itself.
Password managers are an air-tight, encrypted vault that secures all your passwords in one place. It helps enhance security for businesses – large or small – and can even be beneficial for individuals looking to streamline their login processes to their personal apps and platforms.
User credentials can be added to the vault and saved for later use, with some auto-suggesting strong passwords. These passwords will be encrypted inside the vault and can only be accessed with a master password, which is the only one a user needs to remember. They sign into the vault once at the start of the session, and the vault will automatically login to each required app or site by pulling the information from the vault.
For individuals, there are plenty of free solutions offered by leading companies. Dashlane is one such example, offering a free password manager for individuals for one device. Those who wish to add multiple devices or add family to the plan can do so from $3.99 per month. Family and Premium plans start at $59.99 per year.
LastPass also offers an affordable option for consumers, offering a limited version of their product for free. For those looking to expand capabilities, devices, and users, LastPass Premium is available for $3 a month, with LastPass Families costing extra.
Storing Your Data
Being mindful of how you store your sensitive data and information is also key to preventing identity fraud. Like with passwords, storing your priceless personal credentials in easy-to-access documents isn’t a good idea. Nor is it good having it lying around in plain view in public locations. Storing online data and files in encrypted data storage solutions can help add an extra preventative layer between your information and a threat actor.
Data storage can be hardware, software, or – as is getting increasingly popular – cloud. IDrive is a popular solution for consumers, offering online cloud backup that is tightly encrypted for $79.50 a year. It can store all files and data from multiple user devices into one space, not only making it secure but streamlined as well.
Antivirus And Malware Protection
Deploying antivirus and malware protection on devices might seem like an obvious thing, but it’s a step a lot of people miss. Having antivirus software installed contributes to your devices’ overall health which in turn prevents identity theft and fraudulent tax returns filed on your behalf.
Antivirus and antimalware software works in two main ways: the scanning of inbound programs and files and the scanning of already present programs and files in a hunt for anything harmful to prevent viruses and other forms of malware from infecting your devices. It will seek out, quarantine, and delete anything deemed malicious.
These preventative and remediative solutions are widely available in a range of pricing plans suited for both individuals and companies from varying sizes, from micro companies to enterprise-level giants.
Identity Protection Software
Identity protection software is a cybersecurity solution that aims to safeguard your personal details, shielding them from malicious actors. These solutions are often a blend of some – occasionally all – of the methods listed above, as well as some additional features such as VPNs, firewalls, credit monitoring, threat detection, and web monitoring. It keeps your devices secure from all forms of malware and stays on alert to make sure your personal information isn’t being used elsewhere.
Currently, in time for the 2022 tax season, Norton is offering a comprehensive antivirus and identity protection solution with their product Norton 360 with LifeLock Select. The solution offers real-time threat detection, VPNs, parental controls, credit monitoring, password management, and – perhaps the cherry on top – their branded LifeLock Identity Alert System. How this system functions is that users will be sent alerts if any of your details, including your social security number, name, address, date of birth, or anything else, is used in applications for credit and services – including filing a tax return. Other identity protection products are also available from McAfee and others.
Summary
Tax related identity theft may be on the rise, but with the right software installed and keeping data and information secured with the right practices, you can help safeguard your identity and your finances from being harvested. Storing data and information in a safe space, adding extra steps to sign in processes, and installing the right software can stop tax identity theft before it’s begun – and save your details from being compromised for a whole host of other unpleasant and damaging reasons.
And while having all these measures in place is good data hygiene for not just tax-related reasons, it doesn’t help to beat threat actors to the punch by getting your taxes filed as early as possible. One less thing to be taken advantage of and one less thing to worry about.
