Security Awareness

By now most people know at least one of the security issues out there: identity theft, scamming, phishing, hacking, etc. This section of our web site is to keep you informed in what’s out there and how to keep your identity and personal information safe.

SECURITY REMINDERS

  • Always use security software with a firewall and anti-virus protection and be sure the security software is always turned on and can automatically update. Never download “security” software from a pop-up ad. A popular pop-up ad is one that indicates it has detected a virus on the computer and directs you to download a security software package. Don’t do it! It most likely will install some type of malware. Reputable security software companies do not advertise their product like this.
  • Encrypt sensitive files such as tax records that are stored on the computer. Use strong passwords. The longer the password, the tougher it is to crack. Don’t use the same password for all of your accounts. If the password is stolen, it can be used to break into multiple accounts. Don’t share passwords on the phone, in texts or by email. Legitimate companies WILL NOT send messages asking for passwords.   Keep your passwords in a secure place.
  • Learn to recognize and avoid phishing emails, threatening phone calls and texts from thieves posing as legitimate organizations such as banks, credit card companies and government organizations, including the IRS. Do not click on links or download attachments from unknown or suspicious emails.
  • Protect personal data. Don’t routinely carry a Social Security card, and make sure tax records are secure. Treat personal information like cash; don’t hand it out to just anyone. The easiest way for criminals to steal sensitive data is simply to ask for it. Social Security numbers, credit card numbers, bank and utility account numbers can be used to steal money or open new accounts. Every time a taxpayer receives a request for personal information, they should think about whether the request is truly necessary. Scammers will do everything they can to appear trustworthy and legitimate.
  • Back up files. No system is completely secure. Copy important files, including federal and state tax returns, onto a removable disc or a back-up drive, and store it in a safe place. If storing sensitive tax and financial records on a personal computer, use a file encryption program to add an additional layer of security.

IRS DIRECT DEPOSIT

Receiving your tax refund by direct deposit is easy, safe and fast.

1. Fast. The quickest way for taxpayers to get their refund is to electronically file their federal tax return and use direct deposit.

2. Secure. Since refunds go right into a bank account, there’s no risk of having a paper check stolen or lost in the mail. This is the same electronic transfer system used to deposit Social Security and Veterans Affairs benefits into millions of accounts.

3. Convenient. There’s no need to wait for a refund check to come in the mail.

4. Easy. Choosing direct deposit is easy. Simply supply your tax preparer with the bank account information.

IS IT THE IRS OR IS IT A SCAM?

Scams continue to use the IRS as a lure. These tax scams take many different forms. The most common scams are phone calls and emails from thieves who pretend to be from the IRS. Scammers use the IRS name, logo or a fake web site to try and steal money and even identity from taxpayers.

Phone Calls: Taxpayers need to be very cautious of phone calls or automated messages from someone who claims to be from the IRS. Often these criminals will tell the taxpayer he/she owes money. They also demand payment right away. Other times scammers will lie to a taxpayer and say they are due a refund. The thieves ask for a bank account information over the phone. The IRS warns taxpayers NOT to fall for these scams.

IRS employees will NOT:

  • Call demanding immediate payment. The IRS will not call the taxpayer without first sending a bill in the mail.
  • Demand payment without allowing the taxpayer to question or appeal the amount owed.
  • Require the taxpayer pay their taxes a certain way. For example, demand taxpayers use a prepaid debit card or iTunes card.
  • Ask for credit or debit card numbers over the phone.
  • Threaten to contact local police or similar agencies to arrest the taxpayer for non-payment of taxes.
  • Threaten legal action such as a lawsuit.

If a taxpayer doesn’t owe tax or think they don’t owe any tax, they should:

  • Contact the Treasury Inspector General for Tax Administration. Use TIGTA’s “IRS Impersonation Scam Reporting” web page to report the incident.
  • Report the incident to the Federal Trade Commission. Use the “FTC Complaint Assistant” on the FTC.gov. Please add “IRS Telephone Scam” to the comments of your report.

E-mails: In most cases, an IRS phishing scam is an unsolicited email that claims to come from the IRS. Criminals often use fake refunds, phony tax bills or threats of an audit. Some emails actually will link you to a web site that looks real. The scammers’ goal is to have the taxpayer click on that link and give up their personal and financial information on the fake web site. If the scammer is successful, they use that information to steal a victim’s money and their identity.

For those taxpayers who get a “phishing” email, the IRS offers this advice:

  • Don’t reply to the message.
  • Don’t give out your personal or financial information.
  • Forward the email to phishing@irs.gov. Then delete it.
  • Do not open any attachments or click on any links. They may have malicious code that will infect your computer.

Home Visits: The Internal Revenue Service has created a special new page on IRS.gov to help taxpayers determine if a person visiting their home or place of business is from the IRS or an imposter.

With continuing phone scams and in-person scams taking place, remember IRS employees do make official, sometimes unannounced visits to delinquent taxpayers as part of their routine casework.

The reasons these visits occur and how to verify if it is the IRS knocking at your door fall into three categories:

  1. IRS revenue officers will sometimes make unannounced visits to a taxpayer’s home or place of business to discuss taxes owed or tax returns due. Revenue officers are IRS civil enforcement employees whose role involves education, investigation, and when necessary, appropriate enforcement. Be sure to get their business card and credentials before leaving the officer in your home or business.
  2. IRS revenue agents will sometimes visit a taxpayer who is being audited. That taxpayer would have first been notified by mail about the audit and set an agreed-upon appointment time with the revenue agent. Also, after mailing an initial appointment letter to a taxpayer, an auditor may call to confirm and discuss items pertaining to the scheduled audit appointment. Be sure to get their business card and credentials before leaving the agent in your home or business.
  3. IRS criminal investigators may visit a taxpayer’s home or place of business unannounced while conducting an investigation. However, these are federal law enforcement agents, and they will not demand any sort of payment. Criminal investigators also carry law enforcement credentials, including a badge.

For more information, visit “How to know it’s really the IRS calling or knocking on your door” on IRS.gov.

If you do owe taxes—or think you do—stay alert to scams that use the IRS as a lure. Tax scams can happen any time of year, not just at tax time. For more information, visit “Tax Scams and Consumer Alerts” at IRS.gov.

W-2 PHISHING SCAM

During 2017, a dangerous email scam was circulating nationwide and targeting employers, including tax exempt entities, universities and schools, government and private-sector businesses. The scammer poses as an internal executive requesting employee Forms W-2 and Social Security Number information from company payroll or human resources departments. They may even send an initial friendly greeting such as “Hi, are you in today” before the request. This scam is sometimes referred to as a business email compromise (BEC) or business email spoofing (BES).

Steps employers can take if they see the W-2 scam:

  • Organizations receiving a W-2 scam email should forward it to ­phishing@irs.gov and place “W2 Scam” in the subject line. Organizations that receive the scams or fall victim to them should file a complaint with the Internet Crime Complaint Center operated by the Federal Bureau of Investigation.
  • Employees whose Forms W-2 have been stolen should review the recommended actions by the Federal Trade Commission at identity theft.gov or the IRS at www.irs.gov/identitytheft.
  • Employees should have a Form 14039, Identity Theft Affidavit, filed if the employee’s own tax return gets rejected because of a duplicate Social Security number or if instructed to do so by the IRS.

FAKE CHARITIES

Giving to a charity can be very fulfilling. However, taxpayers should be cautious about groups masquerading as charitable organizations to attract donations from unsuspecting contributors.

Some basic tips offered by the IRS for taxpayers making charitable donations:

  • Be aware of charities with names that are similar to familiar or nationally known organizations. Some phony charities use names or web sites that sound or look like those of respected, legitimate organizations. IRS.gov has a search feature, Exempt Organizations Select Check, which allows people to find legitimate, qualified charities to which donations may be tax-deductible. A legitimate charity will not be afraid to provide their Employer Identification Numbers (EIN), if requested, which can be used to verify that they are legitimate. It is advisable to double check using a charity’s EIN.
  • Don’t give out personal financial information, such as Social Security numbers or passwords, to anyone who solicits a contribution. Scam artists may use this information to steal identities and money from victims. Donors often use credit cards to make donations. Be cautious when disclosing credit card numbers. Confirm that the charity is legitimate.
  • Don’t give or send cash. For security and tax record purposes, contribute by check or credit card or another way that provides documentation of the gift.

Popular types of scams when it comes to charities are those following major disasters. It’s common for scam artists to impersonate charities to get money or private information from well-intentioned taxpayers. Some scammers operating fake charities may contact people by telephone or email to solicit money or financial information. They may even directly contact disaster victims and claim to be working for or on behalf of the IRS to help the victims file casualty loss claims and get tax refunds.

To help disaster victims, the IRS encourages taxpayers to donate to recognized charities. Disaster victims can call the IRS toll-free disaster assistance telephone number (866-562-5227). Phone assistors will answer questions about tax relief or disaster-related tax issues.

PROTECT YOUR SMALL BUSINESS

Avoid being compromised on line by following these steps:

  • Keep your computer and anti-virus software set to update and run automatically.
  • Use different and strong passwords for each online account.
  • For your mobile phone, check often for software updates and only install trusted apps.
  • Contact your phone provider to add a password or PIN to your accounts.

THIS YEAR’S TOP SCAMS

  • Phishing: Remember, the IRS will never initiate contact with taxpayers via email about a tax bill or refund. Don’t click on emails or fake web sites claiming to be from the IRS.
  • Phone Scams: Criminals impersonating IRS agents remain an ongoing threat to taxpayers. They usually threaten with police arrest.
  • Identity Theft: Tax time is the worst time for identity theft, although it can absolutely happen year-round. The IRS aggressively pursues criminals that file fraudulent returns using someone else’s Social Security number. Continue to be extremely cautious when giving out sensitive information. Better safe than sorry!
  • Return Preparer Fraud: The majority of tax professionals provide honest high-quality service. However, there are some dishonest preparers who set up shop each filing season to take advantage of taxpayers through refund fraud, identity theft and other scams.
  • Fake Charities: Beware of groups masquerading as charitable organizations. These groups have names very similar to well-known organizations. Research the organization to know where your money is going.
  • Inflated Refund Claims: If a tax preparer promises a huge refund, question it. Avoid preparers who ask taxpayers to sign a blank return and promise a big refund before looking at any records or charge fees based on a percentage of the refund. Fake tax preparers use flyers, advertisements, phony storefronts and word of mouth via community groups where trust is high to find their victims.
  • Excessive Claims for Business Credits: Avoid improperly claiming the fuel tax credit. This tax benefit is generally not available to most taxpayers. The credit is usually limited to off-highway business use including use in farming. Also avoid misuse of the research credit. Improper claims often involve failures to participate in or substantiate qualified research activities and satisfy the requirements related to qualified research expenses.
  • Falsely Padding Deductions on Returns: Avoid the temptation to falsify deductions or expenses on tax returns in order to pay less than owed or receive larger refunds. Think twice before overstating deductions such as charitable contributions and business expenses or improperly claiming credits such as the Earned Income Tax Credit or Child Tax Credit.
  • Falsifying Income to Claim Credits: Don’t invent income to erroneously qualify for tax credits, such as the Earned Income Tax Credit. Taxpayers should file the most accurate return possible because they are legally responsible for what is on their return. Claiming false income can lead to taxpayers facing large bills to pay back taxes, interest and penalties. In some cases, they may even face criminal prosecution.
  • Abusive Tax Shelters: Don’t use abusive tax structures to avoid paying taxes. Everyone should be on the lookout for people peddling tax shelters that sound too good to be true.
  • Frivolous Tax Arguments: Don’t use frivolous tax arguments to avoid paying tax. Promoters of such schemes encourage taxpayers to make unreasonable and outlandish claims, even though they have been repeatedly thrown out of court. The penalty for filing a frivolous tax return is $5,000.
  • Offshore Tax Avoidance: It’s never a good idea to hide money and income offshore. Taxpayers are best served by coming in voluntarily and taking care of their tax-filing responsibilities. The IRS offers the Offshore Voluntary Disclosure Program to enable people to catch up on their filing and tax obligations.

RECAP ON SECURITY

For families with children and aging parents, it’s important to make sure everyone guards their personal information online and at home.

If everyone in your family uses the same computer, do not turn off any security software or open any suspicious emails. Never click on embedded links or download attachments of emails from unknown sources. Actions by one computer user could infect the machine for all users.

Do not store credit card information on any web site (Amazon, EBay, etc.).  Kids & aging parents should be warned against oversharing personal information on social media. Oversharing addresses, a new family car or a parent’s new job gives identity thieves a window into an extra bit of information they need to impersonate you.

If your computer has a webcam, keep the camera covered with a Post-It note so if an outsider does log into your computer, they cannot see your home through the webcam.  Protect your passwords.  The longer the password, the tougher it is to crack.  Use at least 10 characters; 12 is ideal for most home users.  Mix letters, numbers and special characters.  Try to be unpredictable – don’t use your name, birthdate, pet names or common words.  Don’t use the same password for many accounts.  If it is stolen from you – or from one of the companies with which you do business – it can be used to take over all your accounts.  Don’t share passwords on the phone, in texts or by email.  Legitimate companies will not send you messages asking for your password.  If you get such a message, it’s probably a scam.  Keep your passwords in a secure place, out of plain sight.

Don’t assume ads or emails are from reputable companies.  Check out companies to find out if they are legitimate.  When you’re online, a little research can save you a lot of money and reduce your security risk.  If you see an ad or an offer that looks too good, take a moment to check out the company behind it.  Type the company or product name into your favorite search engine with terms like “review,” “complaint” or “scam.”  If you find bad reviews, you’ll have to decide if the offer is worth the risk.  If you cannot find contact information for the company, take your business and your financial information elsewhere.  Even if a site features an ad for another site doesn’t mean that it endorses the advertised site, or is even familiar with it.

Aging parents may also need assistance for someone to routinely review charges to their credit cards or withdrawals from their financial accounts.  Unused credit cards should be canceled.  An annual review should be made of their credit reports at annualcreditreport.com to ensure no new accounts are being opened by thieves, and reviewing the Social Security Administration account to ensure no excessive income is accruing to their account.

Seniors also are especially vulnerable to scam calls and pressure from fraudsters posing as legitimate organizations, including the Internal Revenue Service, and demanding payment for debts not owed.  The IRS will never make threats of lawsuit or jail or demand that a certain payment method, such as a debit card, be made.

Some simple steps—and a conversation—can help the young and old avoid identity theft schemes and scammers.

Here are a few basic tips to recognize and avoid a phishing email:

  • It contains a link. Scammers often pose as the IRS, financial institutions, credit card companies or even tax companies or software providers.  They may claim they need you to update your account or ask you to change a password.  The email offers a link to a spoofing site that may look similar to the legitimate official web site.  Do not click on the link.  If in doubt, go directly to the legitimate web site and access your account.
  • It contains an attachment. Another option for scammers is to include an attachment to the email.  This attachment may be infected with malware that can download malicious software onto your computer without your knowledge.  If it’s spyware, it can track your keystrokes to obtain information about your passwords, Social Security number, credit cards or other sensitive data.  Do not open attachments from sources unknown to you.
  • It’s from a government agency. Scammers attempt to frighten people into opening email links by posing as government agencies.  Thieves often try to imitate the IRS and other government agencies.
  • It’s an “off” email from a friend. Scammers also hack email accounts and try to leverage the stolen email addresses.  You may receive an email from a “friend” that just doesn’t seem right.  It may be missing a subject for the subject line or contain odd requests or language.  If it seems off, avoid it and do not click on any links.  You may want to call your friend and see if they sent you an email.
  • It has a lookalike or identical URL. Some emails from friends look questionable. Look at the address. If the address looks similar or identical, place your cursor over their address and see if it’s the same address as your friend. If not, delete immediately. If the address matches your friend’s email address but the email has a link to click on and sounds “off,” call your friend to be sure they sent the email. If not, delete immediately. Most likely the email contains malware.
  • Use security features. Your browser and email provider generally will have anti-spam and phishing features.  Make sure you use all of your security software features.

Here are a few simple steps you can take to protect yourself:

  • Avoid suspicious phishing emails that appear to be from the IRS or other companies; do not click on the links—go directly to their web sites instead.
  • Beware of phishing scams asking you to update or verify your accounts.
  • “Strange” emails. Sometimes you will receive an email with an attachment from someone you know and it may sound “strange,” like something they wouldn’t send. The email address attached to the email may be their actual email address but if you are not 100% sure the sender would send such an email, call the person to be sure they sent you the email. If they tell you they haven’t sent you an email, delete the email; it is most likely malware and could infect your computer.
  • Download and install software only from web sites you know and trust.
  • Use security software to block pop-up ads, which can contain viruses.
  • Ensure your family understands safe online and computer habits.
  • Look for the “S”. When shopping or banking online, always look to see that the site uses encryption to protect your information.  Look for “https” at the beginning of the web address.  The “s” is for secure.  Unencrypted sites begin with an http address.  Additionally, make sure the https carries through on all pages, not just the sign-on page.
  • Secure Wireless Networks. A wireless network sends a signal through the air that allows it to connect to the Internet.  If your home or business Wi-Fi is unsecured, it also allows any computer within range to access your wireless and potentially steal information from your computer.  Criminals also can use your wireless to send spam or commit crimes that would be traced back to your account.  Always encrypt your wireless.  Generally, you must turn on this feature and create a password.
  • Be cautious when using public wireless networks. Public Wi-Fi hotspots are convenient but often not secure.  Tax or Financial Information you send through web sites or mobile apps may be accessed by someone else.  If a public Wi-Fi hotspot does not require a password, it probably is not secure.  Remember, if you are transmitting sensitive information, look for the “s” in https in the web site address to ensure that the information will be secure.

Here are a few basic steps to making passwords better and stronger:

  • Add password protections to all devices. You should use a password to protect any device that gives you that opportunity.  Not only your computer, tablet or mobile phone but also your wireless network.  The password is your first line of defense.
  • Change all factory password settings. If your device comes with factory password settings, for example the camera on your laptop, change it immediately.
  • Longer is better. A password should be a minimum of eight digits but 10 to 12 is even better.  It should be a combination of upper case and lower case letters, numbers and special characters.  Do not use your name or birthdate.
  • Do not repeat passwords. These days, people often have multiple password-protected accounts.  Do not use the same password repeatedly.  Should a thief steal your password, he immediately will have access to other important accounts.  Use different passwords, especially on important financial or tax accounts.
  • Use two-factor authentication options. Many social media and financial institutions now give you the option of setting up a two-factor or two-step authentication process.  A two-factor process involves a security code being sent to your registered mobile phone or personal email.  This means if a thief manages to steal your user name and password, he will be blocked from accessing your accounts.
  • Consider a password manager. One option for keeping track of your passwords on multiple accounts and getting help in creating strong passwords is to use a password manager.  Some reputable companies offer free or low-cost versions of their products.  See if a password manager might be right for you.

Here are steps you can make part of your routine to protect your personal identity tax and financial information:

  1. Read your credit card and banking statements carefully and often; watch for even the smallest charge that appears suspicious. (Neither your credit card nor bank—or the IRS—will send you emails asking for sensitive personal and financial information such as asking you to update your account.)
  2. Review all paper notices and correspondence from the Internal Revenue Service, Department of Revenue, or any other government agency. As long as the notice is official you may need to respond.  You might want to seek advice from a tax professional before responding to any income tax notices.  Warning signs of tax-related identity theft can include IRS notices about tax returns you did not file, income you did not receive or employers you’ve never heard of or where you’ve never worked.
  3. Review each of your three credit reports at least once a year. Visit annualcreditreport.com to get your free reports.
  4. Review your annual Social Security income statement for excessive income reported. You can sign up for an electronic account at gov.
  5. Read your health insurance statements; look for claims you never received.
  6. Shred any documents with personal and financial information. Never toss documents with your personally identifiable information, especially your social security number, in the trash or recycle bin.
  7. If you receive any routine federal deposit such as Social Security Administrator or Department of Veterans Affairs benefits, you probably receive those deposits electronically. You can use the same direct deposit process for your federal and state tax refund.  IRS direct deposit is safe and secure and places your tax refund directly into the financial account of your choice.
  8. Always use security software with firewall and anti-virus protections. Make sure the security software is always turned on and can automatically update.  Encrypt sensitive files such as tax records you store on your computer.  Use strong passwords.
  9. Learn to recognize and avoid phishing emails, threatening phone calls and texts from thieves posing as legitimate organizations such as your bank, credit card company and government organizations, including the IRS. Do not click on links or download attachments from unknown or suspicious emails.
  10. Protect your personal data. Don’t routinely carry your Social Security card, and make sure your tax records are secure.  Treat your personal information like you do your cash; don’t leave it lying around.
  11. Do not give a business your SSN or ITIN just because they ask. Give it only when required.
  12. Do not give personal information over the phone, through the mail or on the internet unless you have initiated the contact or you are sure you know with whom you are dealing.
  13. Secure personal information in your home.
  • Whether stored on paper or kept electronically, the IRS urges taxpayers to keep tax records safe and secure, especially any documents bearing Social Security numbers. The IRS also suggests scanning paper tax and financial records into a format that can be encrypted and stored securely on a flash drive, CD or DVD with photos or videos of valuables.
  • Now is a good time to set up a system to keep tax records safe and easy to find when filing next year, applying for a home loan or financial aid. Tax records must support the income, deductions and credits claimed on returns.  Taxpayers need to keep these records if the IRS asks questions about a tax return or to file an amended return.
  • It is even more important for taxpayers to have a copy of last year’s tax return as the IRS makes changes to authenticate and protect taxpayer identity. Beginning in 2017, some taxpayers who e-file will need to enter either the prior-year Adjusted Gross Income or the prior-year self-select PIN and date of birth.  If filing jointly, both taxpayers’ identities must be authenticated with this information.  The AGI is clearly labeled on the tax return.
  • If disposing of an old computer, tablet, mobile phone or back-up hard drive, keep in mind it includes files and personal data. Removing this information may require special disk utility software.  More information is available on IRS.gov at How long should I keep records?

If you are an identity theft victim, you need contact only one of the three to request a fraud alert.  One bureau must notify the others when a fraud alert is requested.  You’ll get a letter from each credit bureau.  It will confirm that they placed a fraud alert on your file.

A fraud alert is free, and it lasts for 90 days.  You can renew it.  It provides a red flag to other businesses where the thieves may be trying to open accounts and legitimate businesses may take additional steps to verify the identities.

The three main credit bureaus: