New phishing scams, fake FTC letters and more

Nothing’s sacred. Cybercriminals are now faking those “https” secure websites. Don’t fall for them plus assorted new phishing scams and fraudulent Federal Trade Commission letters.

Mittens Andersen discovered that the last check she wrote bounced. She was dumbfounded because she’d always maintained a healthy balance in her account. Bank officials told her that cybercriminals probably stole her bank account number through an advanced “https” phishing scheme, which directed her to a fake website she thought was secure.

‘https’ phishing scam

In a recent PSA, the FBI reported a new phishing campaign that has serious implications for stealing personally identifiable information (PII) from unsuspecting victims. (See Cyber Actors Exploit Secure Websites in Phishing Campaigns, FBI, June 19, 2019.)

Many website addresses begin with https, Hypertext Transfer Protocol Secure. Secure organizational websites normally include a lock icon in the web browser address bar. The combination of the lock icon and https in a web address normally indicates that web traffic is encrypted, which provides some basic assurance that visitors can safely share data.

An organization also can add trusted third-party certificate authority (CA) on its website to verify its ownership and assure viewers that it’s securely transferring data between its server and browser.

Cybercriminals capitalize on the public’s trust of https and the lock icon by fooling unsuspecting victims into visiting fake websites via emails that imitate trustworthy companies or email contacts and eventually stealing their PII, according to the FBI.

To help avoid the possibility of becoming victimized by the https scam, the FBI advises:

• Don’t simply trust the name on an email. Question the intent of the email content.
• If you receive a suspicious email with a link from a known contact, confirm the email is legitimate by calling or emailing the contact. Don’t reply directly to a suspicious email.
• Check for misspellings or wrong domains within a link (e.g., if an address that should end in “.gov” ends in “.com” instead).
• Don’t trust a website just because it has a lock icon or https in the browser address bar.

Faking FTC letters

A consumer and his bank recently reported a scam to the U.S. Federal Trade Commission (FTC) in which the fraudsters used official-looking FTC letterhead to mail a threatening message. (See Scammers pretend to be the FTC, by Monica Vaca, FTC, Dec. 3, 2019.)

According to Vaca, the FTC’s associate director of consumer response and operations, the letter claims that the receiver’s online and financial activities put them under suspicion of money laundering and terrorism, and the FTC will be reviewing their activities. Vaca believes the fraudsters probably will follow up with urgent phone calls telling their victims that they must immediately send money to remedy the situation. It’s highly probable that the crooks will ask victims to provide their PII. As in many scams, the fraudsters try to hit the victim’s panic button to redirect their focus and inadvertently do what they’re told.

Vaca provides advice to protect yourself against government imposters:

• The FTC will never send threatening letters.
• The FTC does write back to those who write to the agency, and it sometimes sends letters about refunds from a case, but it will never ask them to pay anything or give their PII or collect their money. (Find more about FTC refunds at ftc.gov/redress.)
• No government agency will ever demand that you pay by gift card, wiring money or bitcoin. Anyone who does that is a scammer. Full stop.
• If you get a letter from the FTC, call the FTC Consumer Response Center at 1.877.FTC.HELP (1.877.382.4357).

Find out more about imposter scams of all sorts at ftc.gov/imposters.

Business owners and identity theft

As we enter the U.S. tax season, the Internal Revenue Service (IRS) is warning business owners of a new identity-theft risk and recommending they step up cybersecurity protections to help protect their data and prevent false filings. (See National Tax Security Awareness Week, Day 4: IRS, Security Summit warns business owners about being targets for identity thieves, IRS, Dec. 5, 2019.)

Recent IRS policies have been somewhat successful in curtailing the filing of false tax returns. Cybercriminals must now have sophisticated knowledge of the tax code and industry filing practices to increase their efforts to file fraudulent business returns. (For an analysis of the individual tax refund scam, see the author’s two feature articles, “Identity theft tax refund fraud: A growing epidemic – Parts 1 and 2,” Fraud Magazine, March/April 2014 and May/June 2014.)

According to the IRS, businesses — like individuals — should be cautious when filing returns. The IRS recommends contacting it if any of the following incidents occur:

• Extension to file requests are rejected because a tax return with the Employer Identification Number (EIN) or Social Security number (SSN) is already on file with the IRS.
• An e-filed return is rejected because a duplicate EIN or SSN is already on file with the IRS.
• An unexpected receipt of a tax transcript or IRS notice that doesn’t correspond to anything submitted by the filer.
• Failure to receive expected and routine correspondence from the IRS because the thief has changed the address.

To help tax professionals prepare business tax returns, the IRS urges them to enhance their trusted customer procedures and use tax preparation software for business returns that require the following information:

• The name and SSN of the company executive authorized to sign the corporate tax return, including Form 1065. Is this person authorized to sign the return?
• Payment history — were estimated tax payments made?
• Total income amount from prior year filings.
• Parent company information — is there a parent company? If yes, what’s the name?
• Additional information based on deductions claimed.
• Filing history.

For more helpful information to help protect taxpayers from identity theft and refund fraud see IRS.gov/SecuritySummit for details.

IRS phishing tax schemes

It’s still important to discuss how identity thieves gain important information to file fraudulent tax returns for individuals and businesses. Although a cybercriminal might impersonate the IRS by sending a letter or telephoning, the most common method is still through email phishing schemes — a constant, year-round problem — directed to PCs, tablets, smartphones and other electronic devices. More than 90% of all data thefts begin with email phishing scams, according to the IRS.

However, cybercriminals are increasingly using social media. “Thieves are embedding their links or malware in social media commentaries, tweets or posts,” according to the IRS. “Don’t open links from social media unless you’re certain of the source.” (See National Tax Security Awareness Week, Day 2: Don’t take the bait: Recognize, avoid phishing scams from identity thieves, IRS, Dec. 2019.)

The IRS provides this advice:

• The most common way thieves steal identities is simply by asking for it. Phishing emails bait users into opening them by posing as trusted companies, such as banks, favorite retailers or even tax professionals.
• Don’t take the bait. The scams tell urgent stories, such as problems with receivers’ accounts or merchandise orders. The messages then instruct receivers to open embedded links or download attachments.
• The email links might send users to familiar websites to login, but the usernames and passwords travel straight to the thieves. Or scams suggest users open attachments, which secretly download malicious software.
• Send IRS-imposter email scams to phishing@irs.gov. To report fraudulent letters and telephone calls, contact the Treasury Inspector General for Tax Administration at TIGTA.gov.

Please share this information with your family, friends and clients and include it in your outreach programs. Individuals at home or at work must constantly educate themselves about the risks associated with phishing schemes as they continue to get more sophisticated and harder to detect.

Please contact me if you have any identity theft issues you’d like me to research and possibly include in future columns, or if you have any questions related to this column or any other identity theft questions. I don’t have all the answers, but I’ll do my best. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is distinguished professor of accounting and research at Central Washington University. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter received the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.