As if tax season isn’t stressful enough, urgent warnings are going out from the Internal Revenue Service (IRS) on several hacker tax scams that could put your business or you personally in financial jeopardy. The IRS says versions of this scam are evolving and thousands of taxpayers have already been targeted.

Unlike previous scams, these look legitimate, causing the IRS to deposit money in taxpayer bank accounts based on the filing of fraudulent tax return.

IRS Hacker Scams are targeting tax professionals’ data to file fraudulent tax returns.

Cybercriminal phishing plots and other schemes are being used to steal client data like income, dependents, credits, and deductions from tax professionals.

Here’s how it’s done.

  1. Your tax professional’s files, with all your tax filing information, are breached.
  2. Criminals file fraudulent tax returns in your name using your data.
  3. The IRS deposits what they ‘assume’ is your tax return into your bank account.
  4. Criminals posing as the IRS or other law enforcement contact you to say there’s been an error and ask for the money to be returned.
  5. You note the error in your account and send the money to the bogus criminal IRS account.

Here are a couple twists on the same scam:

  • A bogus ‘debit collection agency’ acting on behalf of the IRS threatens the taxpayer by saying a refund was deposited in error and instructs the taxpayer to forward the money to the fraudulent collection agency.
  • In another version, the taxpayer receives an erroneous tax refund, then receives an automated call claiming to be the IRS. The caller threatens the taxpayer with criminal fraud charges, an arrest warrant and a ‘blacklisting’ of their Social Security number. The recorded voice then gives the victim a case number and a telephone number to call to return the refund.

If you discover an erroneous tax refund in your bank account, the IRS suggests you:

  1. Contact the Automated Clearing House (ACH) department of the bank/financial institution where the direct deposit was received and have them return the refund to the IRS.
  2. Call the IRS: Businesses (1.800.829.1040) Individuals (1.800.829.4933) to let them know why the direct deposit was returned.

If the erroneous refund comes to you in a paper check and has NOT been cashed:

  1. Write “VOID” in the endorsement section on the back of the check.
  2. Immediately submit the bogus check to the designated IRS location found here. (Note that the designated location is based on the city written on the bottom text line of the refund check in front of the words TAX REFUND. (Be careful not to staple, bend or paper clip the check.)
  3. Add a note that says, “Return of erroneous refund check because (and give a brief explanation of the reason why you’re returning the check).”

If the erroneous refund was a paper check you CASHED:

  1. Submit a personal check, money order, etc., immediately to the designated IRS location.
  2. If you don’t have a copy of the check, call the IRS. Businesses call (1.800.829.1040) Individuals (1.800.829.4933) to explain that you need information on how to repay a cashed refund check.
  3. Write on the check/money order: Payment of Erroneous Refund, the tax period for which the refund was issued, and your taxpayer ID number (SSN, EIN, or ITIN)
  4. Include a brief explanation of the reason for returning the refund.
  5. Do it immediately: not paying quickly can result in interest owed to the IRS

Don’t forget a few more important details to protect your future tax returns.

If you’ve been scammed, protection of your sensitive information requires doing some ‘clean-up’ with your financial institutions. They may need to close your accounts. You should also immediately inform your tax preparer. And for the future, keep in mind, the IRS will NEVER initiate contact by phone or email to talk about your account. Any unsolicited calls from the IRS should be considered a scam.

Ben Franklin never imagined cybercrime.

Ben Franklin said, “In this world nothing can be said to be certain except death and taxes.” He could never have imagined the Internet, nor the crime that has come with it. Today we can amend his quote to say, “death, taxes and cybercrime.” Unsecured data can be devastating to any small business.

Many are turning to managed security providers for help. These cybercrime experts are security architects, analysts, tactical planners, first responders —and nimble enough to straddle both business and the technical. Having layers of cybersecurity expertise is the most effective way to hold back cybercrime. Old Ben had another bit of wisdom, “An investment in knowledge pays the best interest” and it may also be the best way to protect your businesses from cybercrime.

Recent Posts