Who would not welcome an email about an unexpected refund from the Internal Revenue Service? How about taxpayers interested in protecting their identities against theft?
“We first began seeing a large number of phony IRS e-mails last year,” says Nancy Mathis, an IRS spokesperson in Washington, D.C.
Most of these emails (a sample is posted on the IRS Web site) ask recipients to click through a provided link to verify their identities. Those taking the bait land on a site resembling the IRS. Once there, they are asked for personal and financial information.
“The IRS simply does not initiate contact with taxpayers by e-mail. Nor would we ask for financial information,” says Mathis. Think about it. Why would they? The IRS already has Social Security numbers and knows every law-abiding taxpayer’s financial life story.
When the IRS needs to contact a taxpayer, it does so in writing and sometimes by phone. “But if there is any doubt about the legitimacy of any contact,” says Mathis, “Taxpayers should call our customer service line at 1-800-829-1040.”
In addition to phishy emails— which the IRS would appreciate recipients forward to phishing@irs.gov — Mathis warns taxpayers to be wary of phishy online tax preparers and advice Web sites promising an increased refund or claiming individuals can file without paying taxes. Such promises are not just too good to be true, they are likely lures placed by ‘Net phishermen.
“People should treat Web sites the way they treat their non-web encounters,” she continues. “If you are going to a tax preparer, you would check them out first. The same holds true with a tax Web site. Don’t just give your personal information to anyone who asks.”
While the IRS pursues those taking its name in vain, Mathis admits, “It seems like as soon as we shut one site down another one pops up.”
“Thieves are smart,” says Gary Morse, president of Razorpoint Technologies, Inc, a New York security consulting firm. And as the filing deadline looms they know taxpayers are more preoccupied with getting their returns done and receiving their refunds than with the security of their data.
“For instance, you really don’t want to be working on your return online at an Internet café,” he advises. Open access locations make it relatively easy for a hacker to capture keystrokes and steal data. Though Morse observes that really good hackers are much more likely to go to the tax Web sites when stealing data, not to a single computer. “It is like picking a pocket when they could be robbing a bank.”
This is why he warns the real key to remaining safe online is in knowing how safe data being sent is once received at the other end of an exchange, whether that exchange is with a do-it-yourself site, the IRS or a traditional preparer.
“Make sure the address for the page you are entering information on reads ‘https://’ as opposed to ‘http://,’” he advises. That extra "s" along with the "lock" symbol located along the bottom of a secure Web page signifies the transmission is encrypted.
But he adds, while securing data transmissions helps, it should not end security concerns, “You need to know where the data goes and how it is stored. Many companies simply are not doing the right thing with the electronic data they receive.”
The "right" thing includes storing client data in encrypted form in the company database, then backing it up and removing it from the online system. “Data should be transferred to offline databases, where it is retrievable but not on an outward facing database.”
But how does a taxpayer or any consumer know what an e-commerce site is doing to protect its data? “Read their disclosures or ask,” suggests Morse. And do not stop at the mention of such reassuring words like "firewall," "SSL" and "encryption."
“We call it buzzword bingo. Many sites have the right products in place, but it does not mean they have the right processes in place. Every site has a firewall and encryption, yet over 150 million records have been stolen since 2005 according to the Privacy Rights Clearinghouse,” says Morse, although he noted none on this list of large-scale breaches involved tax files as of yet.
“A lot of tax preparers are still old-school. They have a lot of paper in their offices,” says Cindy Hockenberry, an enrolled agent and tax information analyst with the National Association of Tax Preparers in Appleton, Wis. “I have never heard of a tax preparer’s office being broken into for the purpose of identity theft.” Those offices are typically protected with alarm systems and locks, she adds. “And many preparers are also putting information on CDs offsite, under lock and key.” If they are also receiving electronic data, she assumes similar care is being taken to secure it.
But with more taxpayers going online for tax prep help and to file than ever before, a little extra caution, and some extra questions are in order to prevent sensitive information from getting caught up in some phisher’s net.
To help consumers choose wisely when giving access to their financial identities and data, Hockenberry suggests:
- Get references: Ask friends and family whom they rely on for tax services.
- Check with Better Business Bureau to make sure no complaints have been filed.
- Verify the preparer is not on the IRS’ published list of unscrupulous preparers.
- Ask about experience, educational background and for professional affiliations.
- Find out if they open all year, or disappear when the tax deadline passes.
- Make sure the preparer signs the tax return.