IRS Building tax fraud
A look a the Internal Revenue Service Building. Reuters/Jonathan Ernst

Leave it up to cybercriminals to make the already miserable process of filing taxes even worse. Now that tax season is upon us hackers and international grifters are using a variety of scam methods to separate Americans from their annual return from the Internal Revenue Service. The good news is that there’s ways to avoid falling into those traps.

A number of reports from the IRS and Federal Trade Commission in the past two weeks have made it clear that criminals are trying to access the tax records of Americans. This year the most popular attack method is phone scamming, when thieves impersonating IRS agents call taxpayers and try to scare them into sending an immediate payment. The most recent numbers from the IRS say at least 4,550 victims have paid over $23 million to fraudsters since October 2013, though many more have likely been affected.

“It seems like this has been going on forever,” said J. Paul Haynes, CEO of cybercrime detection company eSentire. “What’s old is new again, though …. and this is a hard crime for police to investigate because attackers hit people in so many jurisdictions."

Hang Up the Phone

The typical 2016 scam, so far, begins with an unsolicited call from what appears to be a Washington D.C. number. Victims reported picking up the phone to hear accents from India or the Middle East, where scammers are known to congregate in internet cafes where they can disguise their phone number. From there, the caller threatens to arrest the victim unless they send thousands of dollars, often into Bank of America accounts.

The IRS says it will never call taxpayers to demand an immediate payment without first sending a bill in the mail, and it won't require taxpayers to pay in a particular way (like with a debit card, for example) or threaten to involve law enforcement.

Other attacks have exploited weak computer security. Phishing, when hackers disguise malware-laced email as a legitimate message, remains a favorite tactic among cybercriminals. Phishing emails have a better chance of success when they mimic messages from reputable organizations that actually do ask for users' financial information.

“When legitimate businesses send you so much mail and email it does become hard to determine what’s real and what’s not,” said Shaun Murphy, creator of the encrypted messaging app SNDR. “But we’re also seeing a rise in SMS attacks or from messaging apps where the there’s no way for you to identify who’s the person who’s threatening you and sending you a link. When most people see an official website they tend to fall for that.”

Senior Citizens Vulnerable

Elderly populations are notoriously vulnerable to these kinds of attacks. They’re often home when the phones rings, are not familiar with recent criminal trends and may be more willing to trust a caller masquerading as an IRS agent. Criminals typically prey on that by researching their victim first, then using that research to boost a person’s trust.

“Typically they have enough information to remain credible,” said Haynes. “And they’re typically dealing with unsophisticated folks. Most people working in a corporate atmosphere have at least some level of training, but I worry about my mother.”

Who's Putting You at Risk?

Criminals use a range of tactics to identify their victims. Some research fraud targets by hand, scouring the web for a victim who might be easy to dupe. But every year, researchers say, there’s more evidence dark net data brokers are using underground forums to buy and sell consumer data stolen as part of a major data breach like the one against Anthem health insurance, which impacted 78.8 million people.

“Last year, when tens of millions of Anthem health records were compromised, there was a huge volume of fraud,” Haynes said.

Other major breaches, most notably the Ashley Madison data dump last August, have resulted in fraud and extortion attempts. Nervous taxpayers can try to predict if they’re a target for fraud by entering their email address into sites like HaveIBeenPwned.com, which quickly searches through breach databases to find out if the relevant email is included.

That’s not always easy, especially when users find out their information has been hacked as part of a breach on a site they signed up to use once.

Healthcare providers have become notorious for spewing customer data, though cybersecurity experts say it’s not so difficult to get a better idea of the path their data has taken. From there they can use that data find out which of those companies were hacked, and thus if the data is available on the black market.

“Just make a formal data request at any hospital you’ve visited,” said John Kuhn, a researcher at IBM’s X-Force cybersecurity team. “You can request your electronic records from any organization that have it and examine them [for accuracy and data breaches]. People need to defend their data like they defend anything else.”