Scammers will exploit any holiday and season in pursuit of profit, and tax season has historically been one of those times when people fall victim to fraudsters. While the targets of tax season fraud are largely individuals, online tax providers and other e-commerce businesses also are at risk.
Not all hackers use the same attack methods, but fraudsters are known to be lazy and rely on many of the same tried and true methods that have proven successful.
“While it’s not unusual for a user to access an online tax service from a new location or a new device, the combination of the two should trigger an alert for the provider to investigate potentially suspicious activity,” said Adrien Gendre, chief solution architect at Vade Secure.
Additionally, online providers should be wary if they receive requests to update bank details. Gendre noted that fraudsters will make such requests so that the returns are deposited into a fake account. “While they may be valid, it’s best to err on the side of caution and confirm them through another channel (e.g. email, SMS).”
Implementing DMARC, the email authentication protocol, allows providers to access reports that detail any unauthorized use of their domain by senders, but Gendre warned that such reports don’t always reveal the full picture because hackers eschew exact domain spoofing in favor of harder-to-detect cousin domains (e.g. turbo-tax.com, turbotaxpremium.com).
Because credit card payments are a prime target of tax-season phishing and email scams, it’s important to think about ways that hackers are able to harvest credentials. “If hackers harvest credentials to an online tax service, they access a treasure trove of personal information (name, address, telephone, social security number, etc.). This information can then be used to open new accounts with other providers.”
Online tax services in particular, and e-commerce providers in general, should also be on the lookout for fraudulent usage of their brand, which Gendre said comes in many forms including emails, web pages and phishing kits.
While there is no silver bullet, Gendre said that educating users is a proactive strategy to protect against fraud. “Set up and monitor abuse feedback channels that enable users to report suspicious emails or URLs. Sign up for a free service like www.IsItPhishing.AI Brand Alerts to identify new phishing pages targeting your brand. Use these alerts to initiate takedown requests with the hosting provider.”