Dr. Seuss' The Grinch movie image courtesy Illumination Entertainment
Grinches aren't always green. Sometimes we don't even know what they look like.
That's the case when they set their sights on stealing not only Christmas, but your identity by sending fake emails.
This holiday season, ID thieves have stepped up their phishing efforts. And some of those fake emails are going to tax professionals as part of payroll direct deposit and wire transfer scams.
Tax pros targeted, too: Phishing scams tend to be small-d democratic. The business email compromise and/or spoofing tactics generally target all types of industry and employers.
This year, however, the Internal Revenue Service and its Security Summit partners say they've seen an uptick in this latest spate of phishing among tax preparers.
The IRS, state revenue departments and the tax community are concerned that these email identity theft efforts — as well as the Form W-2 scam that was first reported earlier this year and is still around — could increase as the 2019 tax season approaches.
Fake direct deposit accounts: These emails generally impersonate a company employee, often an executive, and are sent to payroll or human resources personnel.
The email from the supposed employee asks the payroll or human resource staff to change his or her direct deposit for payroll purposes. The fake worker provides a new bank account and routing number, but it is actually controlled by the sending identity thief.
Below is an example of the direct deposit change email scam, edited by the IRS, recently reported by tax professionals to the tax agency:
Sent: Monday, December 10, 2018 [REMOVED]
Subject: (no subject)
I changed my bank and I will like my paycheck DD details changed. Do you think this change be effective for the next pay date?
Sent from my iPhone
This scam is usually discovered pretty quickly, but not before the victim has lost one or two payroll deposits.
Fake executive request: In another version, the criminal emailer impersonates a company executive and sends the message to the employee within the business who is responsible for wire transfers.
This fake email requests that a wire transfer be made to a specific account that is controlled by the thief.
The wire transfer scam (IRS-edited example below) is similar to the direct deposit scam:
Date: 12/10/18 [REMOVED]
Subject: ACH Payment Attention
Please confirm the receipt of my message, Authorized can you handle domestic transfer payment now?
Sent from my iPhone
Companies that fall victim to this scam can lose tens of thousands of dollars.
Be vigilant: The IRS warns all businesses to be alert to these and other email scams, which can take many forms.
Among the phishing scams the Security Summit has seen are fake invoice payments, title escrow payments and wire transfers. All are designed to result in a quick payoff for the thief, which means a major cost to the scammed companies and employees.
One easy and immediate step is to pay attention to all your emails. When they have to do with finances, be suspicious when they include grammatical and spelling mistakes.
Reporting tax ID theft attempts: If you do get one of these phishing emails, forwarded it to Internal Crime Complaint Center (IC3), which is monitored by the Federal Bureau of Investigation. The public can file a complaint about email scams or other internet-related scams by going to www.ic3.gov.
Tax professionals and others who get such emails also should report tax-related phishing attempts to firstname.lastname@example.org. This account is monitored by IRS cybersecurity professionals. This reporting process also enables the IRS and Security Summit partners to identify trends and issue warnings.
The IRS also has set up a special scam reporting process for companies that have been or are target of the W-2 scam. Forward this scam email to email@example.com. Employers who've been victimized can follow the process detailed at Form W-2/SSN Data Theft: Information for Businesses and Payroll Service Providers.
And if your business received the W-2 scam email but did not fall victim, good for y'all! The IRS wants to know that too, so forward the email to firstname.lastname@example.org.
Follow your instincts and these anti-phishing tips to keep your personal or company bank accounts from becoming two sizes too small due to Grinchy identity theft scams.
You also might find these items of interest:
- 5 ways to protect your tax identity and refund money
- 7 ways to protect your tax identity during peak holiday online shopping season
- Tax identity theft prevention tips for individuals & businesses round out 2018's National Tax Security Awareness Week