In recent years, identity theft cases have surged, especially during tax season. According to the Internal Revenue Service (IRS), in 2022, the federal agency identified and prevented USD 5.7 billion in tax-related fraud, and much of that can be linked to identity theft, highlighting how significant the problem has become.
Cybercriminals are more sophisticated than ever. They are using phishing attacks, malicious websites, and many forms of fraud to steal taxpayers’ identities. To make matters worse, there has been a recent increase in the number of data breaches resulting in the leakage of personally identifiable information, specifically the leaking of social security numbers (SSNs). The flood of stolen SSNs combined with a steady increase in the number of online tax filings has resulted in a greatly increased opportunity to the fraudsters, and increased risk for all taxpayers.
In this article, we examine the many tactics modern fraudsters have at their disposal and what taxpayers can do to protect themselves from these attacks. These days, threat actors can impersonate the IRS or tax preparation companies, create fraudulent websites, or send phishing emails designed to steal SSNs and financial information. They also may simply obtain lists of stolen and leaked identity information from which to initiate their fraudulent tax claims.
One reason cyberattacks spike around tax season is that cybercriminals are well aware of how the US tax filing workflow operates and the anxiety taxpayers face while filing. These attacks really started to pick up back in the 2016 tax season when crafty fraudsters started developing websites and phishing campaigns designed to exploit the inherent trust between taxpayers and the IRS. Since then, we have seen a consistent increase in identity theft driven tax fraud as new vectors of attack have come to light, such as the shift from paper returns to online returns that was prompted by the Covid-19 pandemic.
Recent years have also seen a rise in the emergence of synthetic identity theft, where fraudsters create entirely new identities by combining real and fake information. This trend allows criminals to open new accounts, obtain credit, and file false tax returns, all under a completely fabricated identity. This is especially troubling when considering the leak of 270 million social security numbers and other personally identifiable information in early 2024 from National Public Data – a data service company that provided background checks for institutional clients. For those taxpayers whose information was leaked, the damage is likely to continue. It is possible that threat actors will use that event along with the power of artificial intelligence to design novel tax fraud threats at scale. Buckle up, this is going to be a long tax season.
This all just points to the need for heightened diligence on the part of the average person. Below is a list of proactive steps that will help protect your personal and financial information:
Cybercriminals are adapting, and taxpayers must do the same to protect their identities in an increasingly digital world.
Denis Calderone is a Senior Managing Director who leads Cyber Security Services within the Digital Investigations and Discovery group in J.S. Held’s Global Investigations practice. He joined the company in October 2022 following J.S. Held's acquisition of TBG Security. Denis brings nearly three decades of experience in the information technology field, with more than 20 years dedicated to information security. He holds multiple security certifications, including the CISSP and CISA certifications. His key technical expertise is in network and application penetration testing as well as Vulnerability Assessments, Security Policy, Development, Regulatory and Standards Compliance Testing. Denis also plays a CISO / CSO on-demand role for numerous consulting customers. Previously, he led the technical consulting arm of TBG Security and performed the role of CSO. Prior to TBG Security, Denis worked for Exodus Communications as part of their Northeast Security Practice, and for Lycos as their information security engineer.
Denis can be reached at [email protected] or +1 516 621 2900.
In this article, we explain how these digital threats can adversely affect personal privacy and detail some steps you can take to reduce online exposure and risk....
This article focuses on the growing use of online tracking technologies such as pixels, cookies, and more, to collect information about users and the risk to consumer privacy, especially in the healthcare industry. More significantly...
In this article, we will be examining the technical and business impacts of a ransomware attack and what steps should be performed after ransom payments have been made. We will explore the common errors most...