Sarina

About Sarina Gandy

This author has not yet filled in any details.
So far Sarina Gandy has created 112 blog entries.

Top 5 Tax Scams Targeted to Taxpayers

As people across the nation prepare to file their 2021 tax returns, cybercriminals are taking advantage by delivering new scams designed to steal personal information and money from unsuspecting victims. Internal Revenue Service (IRS) scams happens when someone who pretends to work for the IRS contacts you by phone, email, postal mail, or a text message. Thousands of people have lost millions of dollars as well as their personal; information to tax scams, and it’s safe to assume that attackers will continue targeting individuals and businesses this year. Consider the following common scams and best practices to help protect yourself from falling victim to a tax-related scam this year.

Top 5 Tax Scams to Be Aware Of

1. SSN Scams


Taxpayers should be careful of new variations of tax-related scams. In the latest twist on a scam related to Social Security numbers, scammers claim to be able to suspend or cancel the victim’s SSN. Scammers may mention overdue taxes in addition to threatening to cancel the person’s SSN. If taxpayers receive a call threatening to suspend their SSN for an unpaid tax bill, they should just hang up.

Taxpayers should not give out sensitive information over the phone unless they are positive that the caller is legitimate. When in doubt –hang up. Here are some telltale signs of this scam. The IRS and its authorized private collection agencies will never:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, iTunes gift card or wire transfer. The IRS does not use these methods for tax payments.
  • Ask a taxpayer to make a payment to a person or organization other than the U.S. Treasury.
  • Threaten to immediately bring in local police or other law-enforcement groups to have the taxpayer arrested for not paying.
  • Demand taxes be paid without giving the taxpayer the opportunity to question or appeal the amount owed.

Taxpayers who don’t owe taxes and have no reason to think they do should:

Taxpayers who owe tax or think they do should:

  • View tax account information online at IRS.gov to see the actual amount owed and review their payment options.
  • Call the number on the billing notice
  • Call the IRS at 800-829-1040.

2. Phone Scams

With the new tax season starting, the IRS reminds taxpayers to be aware that criminals continue to make aggressive calls posing as IRS agents in hopes of stealing taxpayer money or personal information.

Here are some telltale signs of a tax scam along with actions taxpayers can take if they receive a scam call.

The IRS will never:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.
  • Threaten to immediately bring in local police or other law enforcement groups to have the taxpayer arrested for not paying.
  • Demand that taxes be paid without giving taxpayers the opportunity to question or appeal the amount owed.
  • Call unexpectedly about a tax refund.

Taxpayers who receive these phone calls should:

  • Record the number and then hang up the phone immediately.
  • Report the call to the Treasury Inspector General for Tax Administration (TIGTA) using their IRS Impersonation Scam Reporting form or by calling 800-366-4484.
  • Report the number to phishing@irs.gov and be sure to put “IRS Phone Scam” in the subject line.

3. University students and staff of impersonation email scams


The IRS warned of an ongoing IRS-impersonation scam that appears to primarily target educational institutions, including students and staff who have “.edu” email addresses. The IRS has received complaints about the impersonation scam in recent weeks from people with email addresses ending in “.edu.” The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions.

The suspect emails display the IRS logo and use various subject lines such as “Tax Refund Payment” or “Recalculation of your tax refund payment.” It asks people to click a link and submit a form to claim their refund.

The phishing website requests taxpayers provide their:

  • Social Security number
  • Name
  • Date of Birth
  • Prior Year Annual Gross Income (AGI)
  • Driver’s License Number
  • Electronic Filing PIN
  • And other personally identifiable information

People who receive this scam email should not click on the link in the email, but they can report it to the IRS. For security reasons, save the email using “save as” and then send that attachment to phishing@irs.gov or forward the email as an attachment to phishing@irs.gov.

Taxpayers who believe they may have provided identity thieves with this information should consider immediately obtaining an Identity Protection PIN. An IP PIN is a six-digit number that helps prevent identity thieves from filing fraudulent tax returns in the victim’s name.

Taxpayers who attempt to e-file their tax return and find it rejected because a return with their SSN already has been filed should file a Form 14039, Identity Theft Affidavit PDF, to report themselves as a possible identity theft victim. See Identity Theft Central to learn about the signs of identity theft and actions to take.

4. Tax return preparer


As people begin to file their 2021 tax returns, taxpayers are reminded to avoid unethical ghost tax return preparers.

A ghost preparer is someone who doesn’t sign tax returns they prepare. Unscrupulous ghost preparers often print the return and have the taxpayer to sign and mail it to the IRS. For e-filed returns, the ghost will prepare but refuse to digitally sign as the paid preparer.

Ghost tax return preparers may also:

  • Require payment in cash only and not provide a receipt.
  • Invent income to qualify their clients for tax credits.
  • Claim fake deductions to boost the size of the refund.
  • Direct refunds into their bank account, not the taxpayer’s account.

By law, anyone who is paid to prepare or assists in preparing federal tax returns must have a valid Preparer Tax Identification Number (PTIN). Paid preparers must sign and include their PTIN on the return. Not signing a return is a red flag that the paid preparer may be looking to make a quick profit by promising a big refund or charging fees based on the size of the refund.

It’s important for taxpayers to choose their tax return preparer wisely. The Choosing a Tax Professional page on IRS.gov has information about tax preparer credentials and qualifications. The IRS Directory of Federal Tax Return Preparers with Credentials and Select Qualifications can help identify many preparers by type of credential or qualification.

No matter who prepares their return, taxpayers should review it carefully and ask questions about anything that’s not clear before signing. They should verify their routing and bank account number on the completed tax return for any direct deposit refund. Taxpayers should watch out for ghost preparers putting their bank account information on the returns.

Taxpayers can report preparer misconduct to using IRS Form 14157, Complaint: Tax Return Preparer PDF. If a taxpayer suspects a preparer filed or changed their tax return without their consent, they should file Form 14157-A, Tax Return Preparer Fraud or Misconduct Affidavit PDF.

5. “Tax Transcript” email scam


The Internal Revenue Service and Security Summit partners recently warned the public of a surge of fraudulent emails impersonating the IRS and using tax transcripts as bait to entice users to open documents containing malicious software, also known as malware.

The scam is especially problematic for businesses whose employees might open the malware because it can spread throughout the network and take months to remove.

This well-known malware, known as Emotet, generally poses as specific banks and financial institutions to trick people into opening infected documents. However, in the past few weeks, the scam masqueraded as the IRS, pretending to be from “IRS Online.” The scam email carries an attachment labeled “Tax Account Transcript” or something similar, and the subject line uses some variation of the phrase “tax transcript.”

The IRS reminds taxpayers it does not send unsolicited emails to the public, nor would it email a sensitive document such as a tax transcript, which is a summary of a tax return. The IRS urges taxpayers not to open the email or the attachment. If using a personal computer, delete or forward the scam email to phishing@irs.gov. If you see these while using an employer’s computer, notify the company’s technology professionals.

The United States Computer Emergency Readiness Team (US-CERT) issued a warning in July about earlier versions of the Emotet in Alert (TA18-201A) Emotet Malware.

US-CERT has labeled the Emotet Malware “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”

Source: Tax Scams / Consumer Alerts | Internal Revenue Service

Top 5 Tax Scams Targeted to Taxpayers2022-02-28T18:01:28-05:00

Staying Secure on Mobile Devices

Cell phones have come a long way in the past two decades. From the first PDA to flip-phones, technological progress seemed to be slow and steady until the market was disrupted in 2007. Once smart phones were on the scene, everything about mobile devices rapidly changed. Nowadays, mobile devices are at an all-time high for popularity and functionality. Unfortunately, this meteoric rise in capabilities and access has led to a corresponding increase in cybersecurity risks and threats. With a tool as broadly used as cell phones, almost the entire population is at risk.

Cybercriminals have been targeting mobile devices at an unprecedented rate. Threat actors have exploited the fact that the extensive capabilities associated with mobile devices equate to personal computers. Threats that were once relegated to enterprise workstations now plague the mobile ecosystem, causing great financial loss each year. With cybersecurity, knowledge is power. We hope that this blog can expose readers to the threats and preventative measures in mobile device usage.

In order to better understand ways to protect oneself from these risks, we need to take a look at some of the threats that face the everyday mobile device user.

Malware for Mobile Devices

Most mobile devices contain application stores with a “closed ecosystem.” This method of obtaining new software allows certification teams to verify the integrity of applications before allowing users to download. In theory, this process would prevent all but the most subtle malware from infecting non-jailbroken devices. The reality is that this process is overwhelmed by the sheer quantity of applications, updates, and re-releases on the respective application stores. This ecosystem is closed only in the sense that profits must be shared with the providing host. Malware can and will make its way onto application stores.

Unsecured Wi-Fi and Mobile Access

Wi-Fi is rarely as safe as most people believe, especially in regard to mobile devices. By constantly being “on the move”, mobile devices are faced with a unique challenge of interacting with a huge array of mobile hotspots and wireless access points. Disregarding the more advanced risks associated with poorly configured wireless access, a major threat to all mobile users is the risk of a “Man in the Middle Attack.” This attack is essentially somebody spoofing the access point that you intended to connect to and reading (and potentially editing) all unencrypted traffic that is being sent or received on your device.

Phishing Attacks

Phishing attacks have reached a critical mass for severity. At a certain point, an attack method becomes so successful and easy to execute that other, more advanced attacks begin to fall out of favor. Phishing is extra relevant to mobile devices due to the “on the go” nature of mobile device usage. Our assumption is that the average person is less careful when clicking links on mobile since they believe that their phones are immune to viruses. While a large portion of malware in emails might not affect the mobile devices, there are still countless other risks associated with phishing that apply to mobile devices.

Spyware and Mobile Botnets

Spyware is a form of malware that monitors activity on a device and reports back to a centralized location. Spyware is extremely common on less-than-reputable mobile applications due to the fact that it can go unnoticed while delivering constant data to cybercriminals. This data can then be used to do things such as form malicious advertisement campaigns, take over accounts, or perform corporate espionage. This similar type of attack can actually infect your device with software that allows attackers to perform their attacks using your mobile device resources, generally called a mobile botnet.

Stolen Devices

The most obvious “attack” of all – simply stealing a mobile device – presents a massive cybersecurity threat. Many users find PINs and Passwords inconvenient and cumbersome, allowing attackers to gain easy access to a device that they have stolen. All sorts of data and nefarious actions can be taken with stolen mobile devices.

Now that we have looked at some of the most common attacks, what can we do to protect against these threats?

Watch What You Download

When downloading applications from sanctioned sources, be sure to check reviews and version update notes. Excessive permissions are also a cause for concern – if your timer application requires access to core system files, there may be a problem. Try to download apps that are “popular,” with a high number of downloads and positive reviews. This will not help against all spyware and malware, but it should reduce the risk. Never use jailbroken devices or unofficial application sources unless you are extremely familiar with the risks and willing to do extra research and invest into security software. Mobile Anti-Virus is gaining popularity – these tools can help provide an additional layer of defense but should never be a replacement for common sense.

Use Familiar Networks

Traveling with a mobile device is a given. Be sure to triple-check all connections that you are trusting with your device – wireless access point spoofing attacks often impersonate popular connection locations such as airports or hotels. If you notice something strange about the signal quality, naming convention, or even number of available networks then it is best to ask a staff member what the proper network is for connectivity. When utilizing public Wi-Fi, never type any credentials into websites or applications that are not encrypted.

Use Passwords, PINS, and Multi-Factor Authentication

We understand the fact that passwords, PINs, and MFA can be a nuisance. But the amount of time spent recovering from a successful attack or stolen device can greatly outweigh the entire sum of extra time spent entering a PIN on your device. Keeping devices locked can greatly reduce the risks associated with a stolen device. Equally important is keeping your accounts secured with Multi-Factor Authentication. Your phone will generally be your “second factor,” so keep it safe.

Keep Your Phone Up to Date

Patches, patches, patches. Keeping a device patch can generally feel like an endless battle with slow downloads and inconvenient restarts. However, the reason patches are deployed is generally to fix bugs that can lead to massive security risks. Keeping a device updated reduces the chances of falling victim to an attack by a staggering amount. Check your app stores and system settings for updates on a regular basis to stay ahead of the attackers.

Learn How to Detect Phishing

Awareness is the best prevention. Phishing will likely be the most drastic threat faced by most mobile device users. When a company or personal email receives a phishing attack, there are a few signs that you can look for in order to reduce your chances of falling victim. Check that you are familiar with the contact and sender – if the address doesn’t look right, it probably isn’t right. Look for typos or grammar mistakes within the emails as these are very common in phishing. Most importantly – never click a link or reply to an email without taking the time to verify the details surrounding the email. Security awareness training is available through a huge variety of sources – look into phishing awareness to help prevent yourself from falling victim to this extremely common attack.

Mobile devices are powerful tools that have enabled drastically improved productivity within organizations. With proper usage and dedicated cybersecurity awareness, these devices can be a safe and efficient tool. Practice proper cybersecurity hygiene and avoid taking shortcuts when utilizing your phone.


We are pleased to share this guest post from Scarlett Cybersecurity, a Florida-based leading cybersecurity provider whose mission is to simplify cybersecurity for organizations of all sizes. To learn more about Scarlett Cybersecurity, visit www.scarlettcybersecurity.com.

Staying Secure on Mobile Devices2022-10-27T11:06:04-04:00

CONTACT US

Cyber Florida at USF
4202 E. Fowler Avenue, ISA7020
Tampa, FL 33620

Office meetings by appointment only

PRIVACY POLICY

Copyright 2024 The Florida Center for Cybersecurity at the University of South Florida. Information on this website is made available for general educational purposes only and should not be used in lieu of obtaining competent legal advice from a licensed attorney or cybersecurity professional with sufficient expertise necessary to address your specific needs. Use of this website does not create any special or fiduciary relationship between you and the Florida Center for Cybersecurity or the University of South Florida.