Beware of Tax-Related Fraud as April 15 Approaches

As the Internal Revenue Service issues warnings about fraud, an industry association warns that Websites for tax filing aren't as safe as they should be.

IRS tax-related fraud

As April 15—tax day in the United States—approaches, the security risk from tax-related fraud is on the rise, according to the Internal Revenue Service.

It's not just the IRS, though, that is warning about tax-related online fraud. The Online Trust Alliance (OTA) is warning that 46 percent of the e-filing tax Websites it surveyed get a failing grade for security.

According to the IRS, it is seeing "an approximately 400 percent surge in phishing and malware incidents so far this tax season." The email fraud attacks are all about trying to trick users into giving up personally identifiable information and could well lead to identity theft.

In January alone, 1,026 phishing-related scams were reported to the IRS, which stands in stark contrast to the 254 reported in January 2014. The IRS reported that, as of Feb. 16, the agency had already received reports of 1,389 phishing or malware incidents.

"This dramatic jump in these scams comes at the busiest time of tax season," IRS Commissioner John Koskinen said in a statement. "Watch out for fraudsters slipping these official-looking emails into inboxes, trying to confuse people at the very time they work on their taxes. We urge people not to click on these emails."

The IRS itself has been directly targeted by fraudsters this year, as well. On Feb 9, the IRS confirmed that hackers attacked its e-file PIN system. In that attack, 101,000 Social Security numbers were successfully used by attackers.

The challenge of tax-related security extends beyond the IRS and also includes e-filing tax services. The OTA commissioned an audit of 13 e-file tax sites to see if they comply with the security auditing methodology that the industry association has developed. The methodology includes 50 criteria, such as controls that protect user information and data by implementing common security technologies and best practices.

Of the 13 sites, six failed to meet the OTA criteria to adequately protect consumer information and enforce privacy controls. Among the big risks is that those responsible for the failing sites didn't take steps to protect users from phishing emails.

Craig Spiezle, OTA executive director and president, noted that the organization reached out to the IRS three weeks ago outlining some of the e-filing site security trends.

"What still concerns us is that there are steps that can be taken to help curb the malicious emails purporting to come from IRS-approved e-file sites, yet there is no oversight or efforts in play to require them to improve their practices or adopt widely accepted security standards," Spiezle told eWEEK.

It's surprising that so many tax providers failed to comply with security best practices, Spiezle said. "Considering the amount of abuse and how tax season is Christmas for the criminals, the site vulnerabilities we discovered and their lack of adherence to the IRS' own security mandates is daunting," he said. "It is like leaving your car parked unlocked with the keys in the ignition in a bad neighborhood and then wondering why it was stolen."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.