Telephone and phishing scams taking their toll

Duke Winston's friends called him a digital freak because he spent most of his non-working time on his devices chatting with friends via his social media accounts and shopping on the Internet. He thought he was pretty savvy about emerging cybercrimes until one day he went online to check his banking transactions and noticed a recent withdrawal of more than $4,000 that wiped out his account balance. His bank told him the transaction seemed to be legit. Regardless, the bank covered the loss because Duke obviously had been victimized.

'Wrong number' telephone scam

Duke was a victim of a new telephone scam called "wrong number" that Scambusters recently reported on. Fraudsters know that we sometimes get rushed and make mistakes when we dial telephone numbers. So they've purchased hundreds of telephone numbers, including those of the toll-free variety, that are similar to common business numbers — except for one digit. Their goal, of course, is to steal personally identifiable information (PII) and use it to rob organizations of their resources.

The fraudsters link a fraudulent telephone number to a recorded message that mimics the name of the company that the potential victim thinks he's dialing. The message tells the caller to key in his bank or credit card account number and, if required, a PIN number and/or security code. The new victim is put on hold waiting in the mythical line to talk with a service representative. Of course, the hold never ends and, during this time, the fraudster cleans out the victim's bank account or maxes out his credit card.

In another version of this scam, a fraudster might set up a bogus telephone number directly or include it in a link on a fake website of a legitimate retailer or card company. When the potential victim uses Google to key in the name of a real company and "customer service" to do a search for its telephone number, he instead gets the bogus one. Thinking it's real, the caller is victimized if he uses it. Game over!

To avoid becoming a victim of this scam:

• Use the telephone number on the back of your credit or bank account card and key it in carefully. Then verify it as it comes up on your telephone screen. 
• If you go online to obtain a telephone number, make sure you're on the real company's website.

KeyRaider malware telephone scam

Claud Xiao writes about fraudsters using KeyRaider malware to target IOS devices and steal Apple account information, including usernames and passwords, from those who have used the "jailbreaking" technique to reprogram their iPhones to allow them to install apps from non-Apple store sites. (See " Keyraider: IOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia," paloalto, Aug. 30, 2015.)

This scam, which is sweeping the U.S. and Canada, allows fraudsters to use stolen account information to steal apps from the Apple store. Apple account holders realize they've been scammed when they notice unauthorized charges on their accounts.

Read Ryan Olson's post on paloalto to determine if your Apple account has been infected with the KeyRaider malware. Olson recommends the best way to keep your mobile device safe and avoid this scam is to keep your firewall updated and not jailbreak your account.

IRS tax scams proliferate

As we all know by now, the IRS is in a fierce battle with fraudsters who are utilizing numerous old and new schemes to con taxpayers and the government out of millions of dollars every year.

The battle is comparable to the ongoing war between security companies and fraudsters. When security companies eradicate one scheme, the fraudsters invariably come back with a new version. These tax scams proliferate during the tax season.

The IRS publishes its "Dirty Dozen" tax scams every year. "Identity theft" heads the list and it is, of course, strongly related to others on the list including the "phishing" tax scam. When the IRS talks about "identity theft," it's invariably referring to income tax refund fraud. Here I'll report on two of the more serious tax scams, "phishing" and "phone," and their relationship to identity theft.

Phishing and malware tax schemes

According to a February 18 post on the IRS website we've seen a 400 percent increase in phishing and malware incidents this year throughout the U.S. For example:

• There were 1,026 incidents reported in January — up from 254 in 2015.
• The trend continued in February — nearly doubling the reported number of incidents compared to 2015. In all, 363 incidents were reported from February 1 through 16, compared to the 201 incidents reported for the entire month of February 2015.
• This year's 1,389 incidents have already topped the 2014 yearly total of 1,361, and they're halfway to matching the 2015 total of 2,748.

Phishing schemes, delivered via emails and text messages, are the most common method fraudsters use to trick individuals at home or at businesses into giving up important PII or loading their computers with malware.

When victims click on a link in a phishing scheme they're usually taken to an official-looking website: IRS.gov or tax-industry companies such as those selling software. These sites ask them for PII such as Social Security numbers and/or are tricked into downloading malware onto their computers.

The IRS says that the fraudsters use these phishing emails to "seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information." The IRS provides these common fraudulent red-flag email subject lines:

• Numerous variations about people's tax refund.
• Update your filing details, which can include references to W-2.
• Confirm your personal information.
• Get my IP Pin.
• Get my E-file Pin.
• Order a transcript.
• Complete your tax return information.

This year, the IRS has noticed a big increase in fraudsters asking for personal tax information, which they use to file for false refunds on behalf of taxpayers. The IRS has worked hard to develop tools to filter out fraudulent tax returns asking for refunds. And it has teamed up with the Department of Justice to prosecute and lock up criminals for perpetuating this fraud. However, new fraudsters continue to emerge.

For an explanation of the major issues relating to "income tax refund fraud" see "Identity theft tax refund fraud: A growing epidemic," parts 1 and 2, in the March/April and May/June 2014 issues of Fraud Magazine.)

The IRS never uses emails to contact citizens for personal or financial information. The agency advises individuals to contact them at phishing@irs.gov if they receive  fraudulent tax phishing email or text messages.

Telephone tax scams

In this major scam, an individual receives a telephone call from a fraudster impersonating an IRS agent, who says that he owes back taxes and demands immediate payment — typically in the form of a prepaid debit card.

These conmen — who typically use scare and urgency tactics — tend to target the most vulnerable, including minorities, newly arrived immigrants, the elderly and those whose first language isn't English. The fraudsters alter ID numbers and use fake names and IRS badge numbers to fool their victims.

According to the IRS, the Treasury Inspector General for Tax Administration has received notice of more than 290,000 incidents in which more than 3,000 individuals have been bilked out of more than $14 million since 2013.

The IRS will never do the following:

• Call to demand immediate payment nor call about taxes owed without first having mailed you a bill.
• Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
• Require you to use a specific payment method for your taxes, such as a prepaid debit card.
• Ask for credit or debit card numbers over the phone.
• Threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.

If you get a phone call from someone claiming to be from the IRS and asking for money, here's what you should do:

• If you know you owe taxes or think you might owe, call the IRS at 1-800-829-1040. 
• If you know you don't owe taxes or have no reason to believe that you do, report the incident to the TIGTA at 1-800-366-4484
• If you've been targeted by this scam, also contact the Federal Trade Commission and use their "FTC Complaint Assistant" at FTC.gov. Please add "IRS Telephone Scam" to the comments of your complaint.

More help for the community

I hope you'll share this information with your family, friends and clients and include it in your outreach programs. We must step up our efforts to educate the public on how to safeguard their computers from cyber-criminals to avoid having sensitive information stolen, which will help to reduce identity theft.

Cybercriminals take advantage of any opportunity to develop schemes to rob consumers of their resources. Even though the fraudsters have the upper hand, an educated community will help curb the damage.

Please contact me if you have any identity theft issues you'd like me to research and possibly include in future columns, or if you have any questions related to this column or any other cyber security/identity theft questions. I don't have all the answers, but I'll do my best. Stay tuned!

I'd like to acknowledge Central Washington University's Faculty Research Program in its support of this work.

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Washington. He's also on the ACFE's Advisory Council and the Editorial Advisory Committee. His email address is: doctorh007@gmail.com.