Impersonating the good guys

Susan West was perplexed when she received an email from the Internet Crime Complaint Center (IC3) notifying her that she was eligible for restitution after internet fraudsters had ripped her off. She didn’t remember that she’d been a victim. But she followed the directions to claim the restitution by clicking on an attachment, downloading a form that she filled out with her personally identifiable information (PII) and emailing it to the “IC3.” Of course, when she downloaded the file, malicious malware infected her computer and stole everything on it. And the fraudsters also owned her PII. West became a potential identity theft victim because she fell for the new internet crime center impersonation scam.

Internet crime center impersonation scam

Although the preceding case is fictional, it represents victims’ experiences. On Feb. 1, the FBI posted an announcement about this scam on its website. The fraudsters, who use a template in this IC3 impersonation scam, have adapted it in three other known versions. More versions will emerge.

In the first adapted version, fraudsters masquerade as the IC3 and use a fake social media page to direct victims to give up PII in reporting an internet-related crime.

In the second and third versions of the scam, fraudsters contact individuals via emails — purportedly from the IC3. In the second version, the fraudsters inform the recipients they’ll compensate them for unfair treatment from banks and courier companies. In the third version, fraudsters use the ploy to entice the recipients to bite by telling them they were a possible victim of a federal crime. The recipients are directed to call the sender of the email to follow up, who asks them to provide PII to receive “restitution.”

U.S. secretary of state scam

Is the U.S. secretary of state involved in a scam? No, but fraudsters are using his name in a scheme designed to bilk victims out of cash and steal PII for identity theft. Kati Daffan, assistant director of division of marketing practices, detailed the scam in her alert, “The Secretary of State is not emailing you,” on the Federal Trade Commission’s (FTC) website on Jan. 30.

Fraudsters tell you that an FBI or CIA investigation has discovered that you’re owed a payment as large as $1.85 million from an unidentified source. The payment will be made via an ATM card along with a PIN code, but you must first send $320 and your PII. Say hello to identity theft walking through your door.

This scam shows a common fraudster’s ploy in which they masquerade as authoritative government organizations — such as the IRS or FBI — to catch potential victims off guard and frighten or intimidate them. Fraudsters also usually require victims to send in money via prepaid debit cards along with their PII.

In scams related to the one above, a fake lottery department might contact you to say you’ve won a prize, or a fake government agency might tell you that you’ve been accused of a crime or violation and threaten you with jail time. To claim the prize or remedy the accusation, you’re required to send in cash or use a prepaid debit card.

A lottery department or any other government agency isn’t going to tell you that you’ve won a prize, and you’d never need to pay a fee to collect it. And it will never accuse you of a crime or violation and threaten you with jail time if you don’t send it cash. If you receive these offers:

• Stop and count to 100.
• Don’t pay any type of fee to claim a prize or money, or settle a fake accusation. 
• Don’t provide your PII to anyone.
• Report scams to the FTC and local media outlets.

Erroneous tax refund scam

The IRS posted a Feb. 13 scam alert that urges taxpayers to watch out for erroneous tax refunds deposited into their bank accounts.

Tax professionals, or someone in their offices, click on links or attachments in phishing emails that download malware, which then collects taxpayers’ records and also allows fraudsters to view keystrokes and give them remote access to office computers.

Fraudsters then use clients’ identities to file fraudulent tax returns on which they instruct the IRS to send refunds to victims’ bank accounts. After that, the fraudsters follow one of two different scripts. (Victims are piling up, so new scripts will evolve.)

In the first script version, the fraudster — in the guise of a debt collection agency working for the IRS — contacts the victimized taxpayer and tells them that the IRS erroneously deposited a refund into their bank account. The fraudster instructs the victim to forward money to cover the amount of the refund to the debt collection agency.

A lottery department or any other government agency isn’t going to tell you that you’ve won a prize, and you’d never need to pay a fee to collect it.

In the second script, the fraudster poses as an IRS employee and sends an automated telephone call to the victimized taxpayer to tell them they received an erroneous refund. The message gives the taxpayer a telephone number to call with a case number to return the money. The recorded voice includes a threat that the IRS will charge them with criminal fraud, issue an arrest warrant and “blacklist” their Social Security number (SSN). There’s no such thing as a “blacklisted” SSN, but it implies that the IRS won’t allow future employers, medical personnel, loan companies, etc. if they try to use it to validate your identity. The fraudsters include the blacklisting comment to intimidate potential victims.

The IRS issued a Feb. 2 alert to urge tax professionals to take these steps to help protect taxpayer records:

• Educate employees on phishing and spear phishing, and give examples.
• Use strong, unique passwords with a mix of letters, numbers and special characters. Use different passwords for each account.
• Never take email from a familiar source at face value, such as one that purports to be from “IRS e-services.” Stop if it asks you to open a link or attachment or includes a threat to close your account. Visit the seemingly familiar website for confirmation before you open links or attachments.
• If an email contains a link, hover your cursor over the link to see the URL. Don’t open it if it’s not a URL you recognize or if it’s an abbreviated URL.
• If you receive an email from a new client containing tax information or a client requesting last-minute changes to their refund destination get a verbal confirmation by phone or in person.
• Make sure you have the latest version of your security software and sign up for automatic updates.
• Use the security options that come with your tax preparation software.
• Send suspicious tax-related emails to phishing@irs.gov.

Please share this information with your business associates, family, friends and clients and include it in your outreach programs. An important takeaway from this column is that new identity theft scams and new versions of old ones continue to emerge. You’ve been forewarned, so tread with care!

Please contact me if you have identity theft or cyber-related issues you’d like me to research and possibly include in future columns or feature articles, or if you have any questions about this column or other cybersecurity and identity theft issues. I don’t have all the answers, but I’ll do my best to help. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, CICA, CBA, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the 2017 Hubbard Award for the best Fraud Magazine feature article in 2016. Reach him at: doctorh007@gmail.com.