The Southbourne Tax Group: Beware the Latest Tax-Season Spear-Phishing Scam


You may have heard of the CEO scam: that’s where spear-phishers impersonate a CEO to hit up a company for sensitive information.

That’s what happened to Snapchat, when an email came in to its payroll department, masked as an email from CEO Evan Spiegel and asking for employee payroll information.

Snapchat’s payroll department fell for it. Ouch.

Here’s a turn of that same type of screw: the Internal Revenue Service (IRS) last week sent out an urgent warning about a new tax season scam that wraps the CEO fraud in with a W-2 scam, then adds a dollop of wire fraud on top.

A W-2 is a US federal tax form, issued by employers, that has a wealth of personal financial information, including taxpayer ID and how much an employee was paid in a year.

This new and nasty dual-phishing scam has moved beyond the corporate world to target nonprofits such as school districts, healthcare organizations, chain restaurants, temporary staffing agencies and tribal organizations.

As with earlier CEO spoofing scams, the crooks are doctoring emails to make the messages look like they’re coming from an organization’s executive. Sending the phishing messages to employees in payroll or human resources departments, the criminals request a list of all employees and their W-2 forms.

The scam, sometimes referred to as business email compromise (BEC) or business email spoofing (BES), first appeared last year. This year, it’s not only being sent to a broader set of intended victims; it’s also being sent out earlier in the tax season than last year.

In a new twist, this year’s spam scamwich also features a followup email from that “executive”, sent to payroll or the comptroller, asking for a wire transfer to a certain account.

The wire transfer scam isn’t tax-related: it’s just hitching a ride on the tax-related W-2 scam. Some companies have been swindled twice: they’ve lost both employees’ W-2s and thousands of dollars sent out via the wire transfers.

The IRS is telling organizations that receive the W-2 scam emails to forward them to Phishing IRS, with the subject line of “W2 Scam”.

If your business has already fallen for the scam, it can file a complaint with the Internet Crime Complaint Center (IC3), operated by the FBI. Employees whose W-2 forms have been stolen should review the recommended actions by the Federal Trade Commission or the IRS identity theft.

The IRS says that employees should also file a Form 14039 Identity Theft Affidavit (PDF) if their own tax returns get rejected because of a duplicate Social Security number or if instructed to do so by the IRS.

How to sidestep the scam

But before you even get to the sad state of having to file a report about getting ripped off, it’s better to avoid falling for the bait in the first place.

Unfortunately, that’s getting tougher as crooks get more and more cunning. Case in point: the carefully crafted, well-disguised attack that led to the hacking of Clinton campaign chair John Podesta’s Gmail account. The attack relied on a shortened Bitly link to mask nefarious HTML code.

Screenshots of the Bitly link used against Podesta show that even the longer links hiding behind rigged Bitly links can be made to look, to an untrained eye, like they’re legitimate.

One step that can protect against phishing attacks is to pick proper passwords. Even though strong passwords don’t help if you’re phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.

Use two-factor authentication whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.

Also, consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.


The Southbourne Tax Group: BBB Offers Tips on Filing Taxes, Avoiding Fraud

While all working citizens should have had their W-2 form delivered by now, it’s important for taxpayers to take time and use caution when selecting a tax preparer you can trust.

It’s important to avoid mistakes that could result in additional fees or even tax identity theft.

Unfortunately, identity theft is not the only thing to watch out for when enlisting the help of a tax preparer or tax software to file your taxes. BBB receives thousands of complaints from consumers against tax preparers every year.

In 2016, BBB received nearly 3,000 complaints against tax preparation businesses nationwide.

Common complaints state that the tax preparer made errors in their return which resulted in fines and fees. Other complaints allege customer service, billing and contract issues.

BBB offers the following advice when searching for a tax preparer:

* Look for credentials. Ideally, your tax preparer should either be a certified public accountant, a tax attorney or an enrolled agent. All three can represent you before the IRS in all matters, including an audit.

* Don’t fall for the promise of a big refund. Be wary of any tax preparation service promising larger refunds than the competition. Avoid any tax preparer who bases their fee on a percentage of the refund.

* Think about accessibility. Many tax preparation services only set up shop for the months leading up to the April 15 deadline. In case the IRS finds errors, or in case of an audit, make sure you are able to contact you tax preparer at any time of the year.

* Read the contract carefully. Read tax preparation service contracts closely to ensure you understand issues such as how much it is going to cost for the service, how the cost will be affected if preparation is more complicated and time consuming than expected and whether the tax preparer will represent you in the case of an audit.

* Ask around. Ask family, friends or co-workers for recommendations on filing your taxes, whether it’s through a CPA, tax preparation business or online tax service that allows you to file your own taxes. To find a BBB Accredited tax preparation business near you, go to bbb.org.

Tax season is also a busy time for identity thieves. Tax identity theft occurs when someone uses your Social Security number to get a tax refund, or a job.

According to the Federal Trade Commission (FTC), tax identity thieves get your personal information in a number of ways, including: going through your trash or mailbox; through emails asking for information, which appear to come from the IRS; employees at hospitals, nursing homes, banks and other businesses stealing data; and phony or dishonest tax preparers misusing confidential information or passing it along to identity thieves.

To lessen the chances of becoming a victim of tax identity theft, the FTC has the following advice, whether you choose to file your return yourself or use a tax preparer:

* File your tax return early. And do it before identity thieves have a chance to steal your information. Also, make sure your address is up-to-date so your W-2 doesn’t get lost in the mail or end up in the wrong hands.

* Use a secure Internet connection. If you file your return electronically, don’t use unsecure, publicly available Wi-Fi hotspots.

* Shred documents. This includes copies of your tax return, drafts or calculation sheets you no longer need. The IRS recommends that most people keep three years’ worth of tax returns in case of an audit. Keep hard copies and electronic files in a secure location.

* Check your credit report. To ensure your identity hasn’t been stolen or compromised, go to annualcreditreport.com to get your free credit report.