Tax Season Advisories Released on Top Risks & Tips for Credit Union Members

With virus fears dominating the news, it is easy to overlook tax season risks. For cybercriminals, it is the perfect time to deceive taxpayers, your credit union and members out of money and valuable financial data.

“Hackers are getting more sophisticated in their attempts to trick and steal leading up to Tax Day. In recent weeks, AppRiver reported that a tax-themed phishing attack is already underway. Attackers have posed as the popular global human capital company, Automatic Data Processing (ADP), and are trying to reach users to tell them their W-2 is ready,” Bryan Becker, product manager for the San Jose, Calif.-based WhiteHat Security, wrote in a company blog post.

Becker added links in the email lead users to domains registered that day, and ask for users’ ADP login credentials. From there, malicious hackers use those credentials to log into the real ADP portal and attempt to alter direct deposit forms and redirect funds to a fraudulent account. They may also find tax documents to file a phony tax return and steal the user’s tax refund, or just gain access to their banking information.

Another email campaign, which was recently discovered, simply instructed users that their signed W-9 tax form is ready. Clicking the attachment directed them to Microsoft Word, which then asks them to “enable content,” which then infects their computer with the Emotet Trojan, a kind of malware initially intended as a banking Trojan designed to steal financial data.

In one more tax-related incident, last year TurboTax experienced a non-breach data incident that provided a lesson on password reuse and the danger it presents after hackers accessed tax-return information using stolen credentials from another source. Hackers used a method called credential stuffing. in which they used login information from previous data breaches to gain access to TurboTax user accounts.

WhiteHat Security, which provides application security, offered tips to help credit union members protect their information during tax season:

• File taxes early. Most taxpayers file their returns within the last possible weeks or days before the deadline, but those that file early leave a smaller window of opportunity for hackers.
• Power up passwords. “One of the simplest, and most often overlooked, lines of defense against cybercriminals is password strength.” Despite being fair-warned time and again, many Americans have simply ignored expert guidance, but it is never too late to amp up their password game. Do not reuse the same password on multiple websites, create passwords that are long (16 characters) and impossible to guess, change passwords routinely, consider using an encrypted password management tool that generates random passwords for you and utilize multi-factor authentication whenever available,
• Be suspicious of financial emails and their attachments. It’s important to remember that the IRS will never initiate contact with individuals through email, text or social media to request personal or financial information from taxpayers. Watch out for emails that appear to be from a trusted banking, accounting or financial source and contain an urgent message or instructions. If it’s questionable, do not click links, download software or apps from within the email or in pop-up ads.
• Maintain strong security practices on your computer. Use security software that updates automatically, along with encryption programs to protect sensitive digital data. Users should also take advantage of multi-factor authentication as often as possible and always backup files.
• Sign up for scam alerts. Staying aware of new scams will strengthen defenses. The FTC offers consumer email alerts as they uncover new scams, many which are related to filing taxes.

The IRS continued to warn taxpayers of the threats, ID theft, scams and schemes by issuing a number of alerts over the past year about the fraudulent use of the IRS name or logo by scammers. The IRS reported phishing as one of the most common forms of scam during tax season.