An article in the Wall Street Journal – in the height of tax season – announced that TurboTax was temporarily suspending transmission of state e-filed tax returns in response to a surge in complaints from consumers who logged into their TurboTax accounts only to find thieves had already claimed a refund in their name. That news comes as the most recent of a long trend of cyber threats including cyberattacks against Home Depot, JP Morgan Chase and Anthem, Inc. Fraudulent return filings stealing millions of dollars of taxpayer refunds are on the rise. The IRS estimated that it paid $5.2 billion in fraudulent ID- theft-related refunds in 2013 and they’re expecting that number to significantly increase in 2014.
The TurboTax problem, due to cyber thieves, brings to light a key security issue – end users (individual people) are getting hacked from their home computers. We speculate that thieves did not break into TurboTax and steal identities, there was no breach of their security that they could detect. Instead, thieves are stealing your logon information directly from your home and office computers. How? Often through malware/spyware that loads onto your machine through virus-infected e-mails in your inbox or by visiting infected/compromised websites. Rootkits (a type of virus) is a collection of tools (programs) that may consist of spyware and other programs that secretly monitor your network traffic and record keystrokes as you use your computer and send the information back to the hacker who gathers this information and sometimes uses or sells it on the dark web to criminals. Another way cyber criminals gain access to your information is through their ability to hack into your e-mail account. Most people have easy to remember passwords that are also easy to crack which hackers use a tactic called social engineering. A cyber thief cracks your e-mail password, logs in as you, can easily search through your e- mail and gather all sorts of financial information about you (how many of us get our monthly bank and quarterly investment information e-mailed to us instead of paper-mailed?). They then access those financial sites and use the “reset logon” or “reset password” features most sites permit, wait for the “reset” e-mail to hit your e-mail account and change the logon information. Some of the more secure sites have implemented security questions as an extra level of security which can prevent hacking.
There’s definitely a trend for thieves to get into your computer and gather enough information about you to file a fake tax return. At Wiss we’ve had a handful of clients experience this. Our firm has very sophisticated, multi-level security in place to protect our clients’ data, but thieves had stolen enough information from clients’ home computer to fill out a fake return and get some sort of refund delivered to an account that was then closed. We became aware of it when we went to file the actual return and the taxing authority rejected it because one had already been filed for that taxpayer’s social security information. Working with the taxing authority to register the theft, file the correct return and secure the refund for the client is an arduous task that can take many months and requires a ton of paperwork and proof of identity by the taxing authority.
So what can you do to protect yourself? Here are some basic things you can do:
1. Install and maintain a quality anti-virus software which will check for viruses on your home and/or office computer on a regular basis which also checks for viruses on incoming email. Just as important as installing anti-virus software is to update it regularly. As new versions are released upgrades should be installed. Cyber thieves and hackers are fast and adaptable. New
viruses are discovered hourly so it’s very important to make sure your anti-virus software updates on an automatic schedule which should be set to an hourly basis.
2. Firewalls either on your network and/or computer must be enabled, configured properly, and updated. Firewalls can keep the bad guys out and your data safe.
3. Never open unknown or suspicious e-mail. Know your senders and know what you subscribe to. Social engineering and phishing tactics are used to infiltrate your computer, meaning they enter your computer when you open the e-mail containing the virus. For example, an email from a frequent contact may appear to be from them but the email address behind the person’s name is from a cyber-thief. Viruses can do things like track keystrokes and send the information back to the cyber thief who can then access any accounts you’ve visited on your computer.
4. Obtain your software from reputable sources – downloading programs you’ve purchased from shady sources or freeware sites are most likely infected. Be sure to keep your system and programs up to date as security patches are released periodically. Internet browsers have security features in them such as popup blockers, smart screen filters, ActiveX filtering and security features that should be enabled and configured properly.
5. Hackers often leave infected USB drives unattended for you to pick up in the hopes that you plug it into your computer so they can gain access. Most virus scan software will scan media as it is introduced to your computer. As a best practice you should always scan all media before introducing to your computer and network.
6. Don’t keep sensitive financial passwords, logons and other information in your online mail or transmit this information electronically. I can’t tell you how many clients we see who store their social security number, logons with passwords for financial institutions and other data as a “contact or email from themselves” in their mailbox or keep scans of social security cards stored in their online photo album or on their computer desktop or “C” drive. This is prime fodder for cyber thieves who have applications to scan and pick up this information quickly and easily.
7. Thieves are also highly-adept at figuring out passwords and utilize complex password cracking programs so you need to keep a step ahead of them by making your password impenetrable:
a. The longer the password, the tougher it is to crack so try to use 10 or 12 character passwords that mix letters and numbers. Best way to do a password: pick a sentence or phrase you can easily remember and then use the first letters/numbers of each word, alternating capitals and lowercase and adding a special character somewhere. For example, take the phrase: “Jack and Jill went up a hill” which can be typed as, J@cknJiL!w3nt^Ahi!! . That’s a tough password to crack.
b. Be unpredictable – don’t use birthdays, your name, common words, SSN, etc. in any partof the password.
c. Do not use the same password for multiple accounts.
d. Do not text message, email passwords or store passwords electronically.
e. Change your password regularly (make it a practice to change them quarterly)
f. Do not use sticky notes on your monitor or desk with logon information. This is extremely dangerous.
g. Never give your passwords to anyone.
In addition to taking these basic steps to protect yourself online, it’s also a very wise idea to get your tax preparer your tax information as quickly as possible in the start of the year. The faster we can prepare your return and file it, the less chance a thief has to file a fake one and steal your return. Plan on getting your information to us as soon as you possibly can.
Questions on security? Send me a note at [email protected]