As people get ready to file their taxes in many parts of the world, cybercriminals are getting ready too. Tax-return time is open season for cybercrime, and it's likely to be worse this year because so many people continue to work from home on various devices that are connected to unsecured networks. Although cybercriminals use other sophisticated tactics to steal information, social engineering scams are low-hanging fruit, especially during tax season. Fortunately, everybody can take steps to avoid falling victim to a social engineering tax scam. 

Types of Social Engineering Attacks to Watch Out for

Cybercriminals are out in force, eager to prey on the stress and uncertainty surrounding tax season. Attacks may take the form of phishing email campaigns or phone calls from people claiming to be from the IRS or a collection agency. To appear legitimate, scammers may use stolen data with personal information, such as Social Security numbers. 

Cybercriminals use a "spray and pray" model for phishing campaigns. They send thousands of emails, hoping that at least one person will fall victim to the attack. On the other hand, spear-phishing attacks are a targeted form of phishing that can be more difficult to detect because the emails are personalized to appear as if they were sent by someone the recipient knows. In the past, spear phishing was challenging to implement, but now some advanced cybercriminals use machine learning and artificial intelligence to execute these attacks more efficiently.

Who Are the Targets of Social Engineering Attacks During Tax Season?

During tax season, the prime targets for tax refund scams are Green Card holders, small business owners, new taxpayers under the age of 25, and older taxpayers over 60. Cybercriminals assume these people may be less informed about tax policies and what to expect, so they may be more vulnerable to emotional manipulation. For example, the scammer may claim that the potential victim has missed an important tax deadline and pressure the victim to act quickly. 

How to Protect Yourself Against Tax Scams

If you know what to look for and how to handle suspect emails or phone calls, you can avoid becoming a victim of tax season social engineering attacks. Here are a few tips for effectively defending against social engineering attacks: 

• Look for grammatical issues and typos. Often, phishing emails contain errors that are easy to spot. If a message includes several spelling or grammar errors, odds are good that it is not legitimate.
• Be skeptical. Always consider any unexpected emails or phone calls claiming to be from the IRS or other governmental agencies to be suspect. If you are concerned about the legitimacy of a sender or caller, don't give the person any information. Instead, contact the IRS or governmental agency directly to verify the caller's identity. 
• Don't share personal information. Don't give out your Social Security number or credit card information over the phone or via email. Scammers may pressure you to do so and try to convince you that something terrible will happen if you don't act immediately. Hang up or delete the email. 
• Warn family and friends who may be vulnerable to attacks. Share cybersecurity information with others and encourage them to get educated. The Fortinet NSE Training Institute offers cybersecurity awareness training that covers key cybersecurity terms, the motivations behind cybercrime, attack methods, and protection tactics.
• Use a VPN when connecting to public Wi-Fi.Public Wi-Fi is a convenient way for attackers to spread ransomware. Whenever you are connected to a public Wi-Fi network, it's important to connect to a virtual private network (VPN) to create a sort of "tunnel" that your data passes through, which can only be accessed with an encryption key. That said, a VPN keeps outsiders from sneaking into your connection and placing malware in your tracks.

Always be sure to use a trusted VPN provider. A VPN provider could potentially eavesdrop on your traffic, a problem generally mitigated through end-to-end encryption. However, the more reliable and trustworthy your VPN provider is, it should help you sway against possible nefarious bad actors. 

• Use firewalls and advanced endpoint protection to help prevent attacks.Organizations need to make sure they have next-generation firewalls (NGFW) that can scan the traffic coming from both sides, examining it for malware and other threats. In this way, a firewall can determine where a file came from, where it is headed, and provide other critical information to determine whether it contains ransomware. In addition, equipping employees with the right endpoint protection is vital since they are the target in this scenario. For example, advanced endpoint protection can proactively shrink the attack surface, prevent malware infection, detect, and defuse potential threats in real-time, and automate response and remediation procedures with customizable playbooks.

Knowing what is and isn't normal communication from the IRS or equivalent is critical, particularly during tax season. If you do encounter an IRS-related phone or email scam, you can report it to the Treasury Inspector General for Tax Administration using the form on the IRS Impersonation Scam Reporting website or by sending an email to [email protected] with the subject line "IRS Impersonation Scam."

Educate Yourself and Stay Safe During Tax Season 

Although tax season can be stressful, knowing the signs of a social engineering attack can keep you from becoming a victim. By learning how the IRS contacts individuals, what constitutes a legitimate message, and what information should be provided, you can stay ahead of cybercriminals and keep your data out of their hands.

Fortinet made all of its self-paced online courses from the Fortinet Training Institute free to all in an effort to help foster the cyber workforce of the future and educate anyone about cyber hygiene and cybersecurity. Whether you know very little about cybersecurity, are a student, or already have a career in computer science, these courses are designed to give participants a foundational and advanced understanding of cybersecurity tools and principles as well as the threat landscape. Learn about how you can become cyber aware and educated.

Learn more about the Fortinet free cybersecurity training initiative, the Fortinet NSE Training program, Security Academy program, and Veterans program. Keep updated on the latest industry trends: Industry Perspectives