Playing dodgeball with yet more scams

Think you’re completing your tax return? Think again. That frightening call from the Social Security Administration? Not who you think it is. And believe you’re getting the protection and settlement from the Equifax breach? Buyer, beware.

The email looked official. Todd Luckenbach opened it with the subject, “Electronic Income Tax Reminder” and clicked on the link that directed him to visit the government agency’s website to complete his tax return. He was pleased to see the IRS was being so proactive, and he knew it was them because the website’s URL was authentic … or so he thought. Within days, his bank account was drained. Turns out that website was a fraudster’s, and the link had installed malicious software.

Yet another tax scam

In the September/October column I wrote about two new tax scams generated by fraudsters to drain resources from victims. Now, a new and even more dangerous scheme has emerged. In this latest scam, people receive an email that appears to be from the IRS, which requests that the user click on links to complete their tax return or receive their refund. The links instead download malware onto their computers. The IRS and their security summit partners released a report on this scam on Aug. 22. (See Security Summit warns of new IRS impersonation email scam; reminds taxpayers the IRS does not send unsolicited emails.)

Fraudsters have become proficient when creating phishing scams that impersonate organizations and individuals. Fraudsters use government agencies like the IRS and the FBI as the sources of phishing scam messages because they’re very effective in scaring people and cause them to sometimes panic and act irrationally.

Phishing, which remains the most commonly exploited of all vector attacks, accounts for 90% to 95% of all successful cybersecurity attacks worldwide, according to the Ironscales 2017 Email Security Report. (To learn more about phishing and how the attacks are carried out, see my feature article Hook, Line and Sinker: Phishing continues to Proliferate, in the July/August 2018 issue of Fraud Magazine.)

Fraudsters sent this new IRS impersonation scam nationally to potential victims via unsolicited emails. Like many phishing email subject lines, the ones in this new tax scam vary, but recent examples include “Automatic Income Tax Reminder” or “Electronic Tax Return Reminder.” No doubt new variations will emerge.

Social security scams are ubiquitous, but fraudsters have stepped up their tactics by increasing their use of the telephone to contact potential victims with new scams.

Please remember that the IRS:

• Never calls to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. (Generally, the first contact is a mailed bill.)
• Never emails, texts or uses social media channels to request financial or personally identifiable information (PII). This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

More fake Social Security calls

Social security scams are ubiquitous, but fraudsters have stepped up their tactics by increasing their use of the telephone to contact potential victims with new scams. Jennifer Leach with the Federal Trade Commission (FTC) addressed this problem in her report on March 6. (See Getting calls from the SSA?.)

Since January 2019, the FTC has received more than 63,000 reports from consumers about fake calls from the Social Security Administration (SSA). About 3% of the callers reported losses that totaled $16.6 million with a median loss of $1,484. Assuming these trends continue, this would amount to approximately 378,000 calls and total losses of $996 million for 2019.

To allay suspicion, the fraudster uses the real SSA phone number (800-772-1213) or a similar one on the caller ID. The scripts for the SS scams vary but their intent is similar: to rob you of your financial resources, identity or both.

In one version, the scammer might tell you that your SSN has been suspended because it’s been involved in a crime or suspicious identity theft activity. The fraudster then asks you to confirm your SSN and other PII to eliminate the suspension and reinstate your account. After you provide this information, the scammer can use it for sundry malicious activities, including claiming your benefits and opening new financial accounts in your name to borrow or launder money. This can destroy your credit.

The real SSA will never call to threaten your benefits or tell you to wire money, send cash or put money on gift cards.

• No one is suspending your SSN or seizing your bank account.
• The real SSA will never call to threaten your benefits or tell you to wire money, send cash or put money on gift cards.
• Scammers can easily fake the numbers on your caller ID, but if you’re worried, call the real SSA at 800-772-1213. You can trust that number if you dial it yourself.
• Never give your PII to anyone who contacts you. Ever.
• To report this scam, visit FTC.gov/complaint.

Settle on the correct Equifax settlement website

I am sure that most of you know that Equifax, one of the three credit reporting agencies, was the victim of a major data breach in September 2017 that exposed the PII, including SSN’s, of millions of consumers. In reaching a settlement with the FTC, consumers were told to go to FTC.gov/Equifax to find out if their information was exposed and, if so, file a claim for benefits and credit monitoring.

Well, it took fraudsters about a week after the announcement to devise a new scam intended to rob consumers of their resources and their identity.  The FTC’s Michael Atleson reported on the scam on its website. (See Equifax Data Breach: Beware of Fake Settlement Websites.)

Fraudsters create fake websites meant to look like the official Equifax settlement claims website. To be sure you’re going to the correct website, start at the FTC’s page: FTC.gov/Equifax.

When individuals mistakenly visit a fake website to learn if their PII was compromised in the breach and then file a claim for compensation, the site logically requests their SSN and other PII. In some cases, the site will state that, before consumers can get help to determine if they qualify for benefits, they’ll have to pay a fee. In this case the consumer loses out in two ways — money for the fee and, more importantly, their SSN, which will be used by fraudsters in future malicious activities.

A recent post on the Identity Theft Resource Center provided the following precautions and advice concerning this scam:

• Make sure you’re only using legitimate websites: the FTC’s site and EquifaxBreachSettlement.com.
• You don’t have to pay anything to file a claim, look into your data, receive credit-monitoring services or otherwise participate in this settlement. (See Credit monitoring just one component of ID-theft protection.)
• Never give any information to someone who contacts you to offer to find out if you’ve been affected.
• Never hand over your SSN to anyone ever.

Share, share, share!

Please share this information with your business associates, family, friends and clients. Include it in your outreach programs. Like most scams, the ones covered in this column are especially hard on the elderly. An important takeaway from this column is that there are no timelines for identity theft scams. They continue to emerge.

Please contact me if you have any identity theft or cyber-related issues that you’d like me to research and possibly include in future columns or as feature articles, or if you have any questions. I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. His email address is: doctorh007@gmail.com.