FRAUD & SCAMS
December 4, 2018
The IRS urges everyone with any type of online account to review new, stronger standards to protect their passwords. Doing so will help protect against savvy cybercriminals who wants to access people’s accounts and steal their identities.
Here are three steps people can follow to build a better password:
Step 1: Leverage powers of association. People can identify associated items that have personal meaning and use them in their passwords.
Step 2: Make unique associations. Passphrases should be words that can go together in your head, but no one else would ever suspect.
Good example: Items in a living room such as BlueCouchFlowerBamboo.
Bad example: Names of children or pets.
Step 3: Create a passphrase that you can picture in your head. The key is to create a passphrase that is hard for a cybercriminal to guess, but easy for the user to remember.
In addition to creating strong passwords, people can:
Use a different password or passphrase for each account. People can consider using a password manager if necessary for multiple accounts.
Use multi-factor authentication whenever possible. They should not rely on the passphrase alone to protect sensitive data. Multi-factor authentication means returning account holders need more than just their username and password to access an account. They also need, for example, a security code sent as text to a mobile phone.
Change all factory-set passwords. They should do this for wireless devices such as printers and routers.
December 4, 2018
Data thieves don’t take a break during the holidays. In fact, the IRS warns taxpayers that the agency is seeing a large increase in bogus email schemes that seek to steal money or tax data.
The most common way for cybercriminals to steal money, bank account information, passwords, credit cards and Social Security numbers is to simply ask for them. Every day, people fall victim to phishing scams or phone scams that cost them their time and their cash.
Here are a few steps taxpayers can take to protect against phishing and other email scams. When reading emails, people should:
Be vigilant and skeptical. Never open a link or attachment from an unknown or suspicious source. Even if the email is from a known source, the recipient should approach with caution. Cybercrooks are good at acting like trusted businesses, friends and family. This even includes the IRS and others in the tax business.
Double check the email address. Thieves may have compromised a friend’s email address. They might also be spoofing the address with a slight change in text. For example, using instead of firstname.lastname@example.org. Merely changing the “m” to an “r” and “n” can trick people.
Remember that the IRS doesn't initiate spontaneous contact with taxpayers by email to ask for personal or financial information. This includes asking for information via text messages and social media channels. The IRS does not call taxpayers with aggressive threats of lawsuits or arrests.
Not click lick on hyperlinks in suspicious emails. When in doubt, users should not use hyperlinks and go directly to the source’s main web page. They should also remember that no legitimate business or organization will ask for sensitive financial information by email.
Use security software to protect against malware and viruses found in phishing emails. Some security software can help identity suspicious websites that are used by cybercriminals.
Use strong passwords to protect online accounts. Experts recommend the use of a passphrase, instead of a password, use a minimum of 10 digits, including letters, numbers and special characters.
Use multi-factor authentication when offered. Two-factor authentication means that in addition to entering a username and password, the user must enter a security code This code is usually sent as a text to the user’s mobile phone. Even if a thief manages to steal usernames and passwords, it’s unlikely the crook would also have a victim’s phone.
Report phishing scams. Taxpayers can forward suspicious emails to email@example.com.
December 3, 2018
The IRS reminds holiday shoppers to protect their tax and financial data from identity thieves. All it takes is a few extra steps to prevent cybercriminals from stealing sensitive data, such as financial account information, Social Security numbers, and credit card information. Thieves could use this data to file a fraudulent tax return in 2019.
This tip is part of National Tax Security Awareness Week. The IRS is partnering with state tax agencies and its partners in the Security Summit to remind to taxpayers and tax professionals about the importance of protecting data.
Cybercriminals want to turn stolen data into quick cash. They do this by draining financial accounts, charging credit cards, creating new credit accounts or even using stolen identities to file a fraudulent tax return for a refund.
Here are seven steps taxpayers can follow to help protect their accounts and their money:
Avoid unprotected Wi-Fi. Unprotected public Wi-Fi hotspots may allow thieves to view transactions.
Shop at familiar online retailers. Generally, sites using the “s” designation in “https” at the start of the URL are secure. User can also look for the “lock” icon in the browser’s URL bar. That said, some thieves can get a security certificate, so the “s” may not always vouch for the site’s legitimacy. Beware of purchases at unfamiliar sites or clicks on links from pop-up ads.
Learn to recognize and avoid phishing emails. Thieves send these emails, posing as a trusted source, such a financial institution. or the IRS. The criminal’s goal is to entice users to open a link or attachment. The link may take users to a fake website that will steal usernames and passwords. An attachment may download malware that tracks keystrokes.
Keep a clean machine. This applies to computers, phones and tablets. Taxpayers should use security software to protect against malware that may steal data and viruses that may damage files.
Use passwords that are strong, long and unique. Experts suggest a minimum of 10 characters but longer is better. People should also avoid using a specific word in the password. They should also use a combination of letters, numbers and special characters.
Use multi-factor authentication when available. This means users may need a security code, usually sent as a text from a financial institution or email provider to a mobile phone. People use this code in addition to usernames and passwords.
Encrypt and password-protect sensitive data. If keeping financial records, tax returns or any personally identifiable information on computers, this data should be encrypted and protected by a strong password.
Tax Transcript Email Scam Alert
Taxpayers should be aware of a new round of fraudulent emails that impersonate the IRS and use tax transcripts as bait to entice users to open documents containing malware. The scam is especially problematic for businesses whose employees might open the emails infected with malware as it can spread throughout the network and may take months to remove.
This well-known malware, which is called Emotet, typ[ically tricks people into opening infected documents by posing as specific banks and financial institutions. However, in the past few weeks, the scam has masqueraded as the IRS, pretending to be from "IRS Online." Many of these malicious Emotet emails were recently forwarded to firstname.lastname@example.org.
The scam email carries an attachment labeled "Tax Account Transcript" or something similar, and the subject line uses some variation of the phrase "tax transcript." The exact wording often changes with each version of the malware.
Taxpayers should remember that the IRS does not send unsolicited emails to the public, nor would it email a sensitive document such as a tax transcript (a summary of a tax return). Taxpayers receiving a suspicious email are urged not to open the email or the attachment. If using a personal computer, delete or forward the scam email to email@example.com. If you see these types of emails when using an employer's computer, notify your company's internet technology (IT) department immediately.
In July, the United States Computer Emergency Readiness Team (US-CERT) issued a warning in July about earlier versions of the Emotet, which it has called one of the most costly and destructive malware affecting the private and public sectors.