Fraudsters fleecing with child tax credits and QR scams

Helen, a computer technician at a security company, thought she knew most everything about fraudster scams. But she tripped up when she received a text message supposedly from the U.S. IRS telling her to go to a website to learn more about the child tax credit program. She and her partner had three children, so she entered personally identifiable information (PII) on the site’s forms. However, the website was fake, and scammers used her PII to clean out her bank account.

This case is fictional, but with the first release of the U.S. child tax credit payments in July 2021, fraudsters began contacting parents via phone calls, emails and texts to guide them to bogus websites to steal their identities.

Since then, talks have stalled over the Build Back Better social spending bill that would’ve extended monthly child tax credits. But as of January, hopes remained that President Joe Biden could still push through a slimmed-down version of the legislation that would include payments to families. Failing that, families can still file for the tax credit, albeit a less generous one. (See “Child tax credit: Here’s what to know for 2022,” by Sarah Foster, Bankrate, Dec. 24, 2021; “How the White House hopes to save Biden’s Build Back Better bill,” by Andrea Shalal and Jarrett Renshaw, Reuters, Jan. 18, 2022; and “Child Tax Credit 2022: Could you receive a double monthly payment in February?” Marca English, Jan. 19, 2022.)

The U.S. Federal Trade Commission (FTC) and the IRS are providing the following advice. (See “Child Tax Credit scammers are still reaching out,” by Emily Wu, FTC, Nov. 5, 2021.)

• The IRS (and other government agencies) will never text, email or contact you on social media asking for your PII. But scammers will.
• The IRS doesn’t use robocalls and won’t call about something urgent or threatening. The IRS also won’t call to ask taxpayers to give or verify financial information to get your child tax credit payments. Anyone who does is a scammer.
• The IRS will never ask for a payment by gift card, wire transfer or cryptocurrency. The IRS and other government agencies also won’t ask you to pay to get financial help.
• Check your eligibility for the tax credit if you hadn’t received any advance payments in 2021 and sign up by following the IRS instructions. (See “Advance Child Tax Credit Payments in 2021.”)
• The IRS used information from filed tax returns to automatically sign people up for the child tax credit. If you aren’t getting payments automatically, it might be because you didn’t file a tax return for 2019 or 2020. You’ll need to sign up for these payments if you didn’t file. (See “Child Tax Credit for Non-Filers,” The White House.)
• If you have questions, start at IRS.gov to get answers. If someone contacts you about the child tax credit and says they’re from the IRS, report it to the IRS and ReportFraud.ftc.gov. If you think a scammer has any of your PII, visit IdentityTheft.gov to get a recovery plan.

Emergency broadband benefit program scam

The U.S. federal government, during the pandemic, began the temporary emergency broadband benefit program, which offers to low-income families a onetime discount to help them buy a laptop, desktop computer or tablet, and monthly discounts for internet service.

Fraudsters, of course, are impersonating the Federal Communications Commission (FCC) and other agencies in social media ads that offer to “help” you sign up for a program that will give you a “free” device and internet service in exchange for money or PII. (See “Spot the pandemic scam: emergency broadband program impersonators,” by Carly Johnson, FTC, Oct. 8, 2021.)

The FTC offers advice:

• Only apply through the FCC and its listed providers. The only way to sign up for the emergency broadband benefits program is at GetEmergencyBroadband.org. Check on the site for approved providers. Never pay to sign up to get benefits for this free program.
• Don’t give your PII to anybody who calls, texts or emails, and says they’re with the FCC. Call the Emergency Broadband Support Center at 1-833-511-0311 to check.
• Did you pay a scammer? Act quickly to try to get your money back. If you think someone has gotten into your accounts or has stolen your PII, visit IdentityTheft.gov and report it to the FTC at ReportFraud.ftc.gov.

Economic impact payment scam

U.S. citizens are receiving fake IRS emails that say they can receive a third economic impact payment (EIP) if they click on a link that allows them to “access the form for your additional information” and “get help” with their applications. Fraudsters, of course, can then steal money and PII to commit identity theft. (See “Scammers are sending fake IRS emails about Economic Impact Payments,” by Cristina Miranda, FTC, Oct. 27, 2021.)

The FTC offers more advice:

• Again, the government will never call, text, email or contact citizens on social media saying they owe money or to offer help getting a third EIP. Don’t click on links. Visit the IRS website for trustworthy information on EIP payments.
• Say no to anyone who claims to be from a government agency and asking for PII, or payment in cash, gift cards, wire transfers or cryptocurrency.
• Report government impersonators to ReportFraud.ftc.gov. Reports help them to investigate, bring law enforcement cases and alert citizens about frauds. Also visit FTC.gov/imposters to find out more about government impersonators. And check out FTC.gov/scams.

Fake QR scam

Quick Response codes or QR codes are commonly used by businesses to get individuals to visit their websites to conduct business (e.g., to make payments or download apps.) But the FBI warns that cybercriminals are tampering with QR codes in an effort to redirect victims to malicious websites. (See “Cybercriminals Tampering with QR Codes to Steal Victim Funds,” FBI, Jan. 18, 2022, and “Before you scan that QR code, the FBI has a warning for you,” by Travis Pittman, WFAA 8, ABC, Jan. 19, 2022.)

When an unsuspicious victim scans what they believe is a legitimate QR code, it directs them to a malicious site where they’re prompted to enter financial information. This gives the fraudster the ability to steal funds from bank accounts etc.

The FBI also said that cybercriminals can use fake QR codes to install malware into phones. This ploy gives them access to any information stored on the phone, including important financial information, such as bank transfer numbers. If this happens, victims may not be able to recover confiscated funds.

The FBI offers these tips:

• Don’t assume QR codes sent to you electronically are safe. Confirm legitimacy by directly contacting whomever you believe sent it to you via trusted phone numbers or email addresses. Check business or organization sites to obtain actual phone numbers.
• Don’t download a QR code scanner app because it could be malicious. Most phones already have scanners on them.
• Don’t download an app from a QR code. Go to the app store and look it up.
• If you scan a QR code, make sure it takes you to the address of the site you intended to go to and that it looks authentic. Hackers may use a URL that looks legitimate but may have a typo or misplaced letter.
• If you’re scanning a physical QR code, such as one on a flyer or poster, be sure it hasn’t been manipulated, such as with a sticker placed on top of the real code.
• Be cautious before inputting personal or financial information, no matter where you go online. And don’t make payments to a site you accessed via a QR code. Manually enter a trusted URL instead.

Here to help

Please use information about these scams in your outreach programs and among your family members, friends and co-workers.

As part of my outreach program, please contact me if you have any questions on identity theft or cyber-related issues that you need help with or if you’d like me to research a scam and possibly include details in future columns or as feature articles.

I don’t have all the answers, but I’ll do my best to help. I might not get back to you immediately, but I’ll reply. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is a distinguished professor of accounting and research at a university in the U.S. Northwest. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. Contact him at doctorh007@gmail.com.