How to Keep Your Tax Returns Safe from Hackers
More than 27 million taxpayers already have filed their taxes for 2013 from home computers, a process known as e-filing. As of this week, that's up 6 percent from 2012.
But the convenience of electronic filing also allows cybercriminals to file fraudulent tax returns--undetected--to the tune of $3.6 billion for tax year 2011, according to the most recent review by the Treasury Inspector General for Tax Administration.
Here's how to protect yourself when electronically filing taxes, according tocybersecurity experts CNBC interviewed.
Is that email really from the IRS?
A key strategy for fraudsters is to contact individuals via email, and to pretend to be the Internal Revenue Service, said Roel Schouwenberg, principal security researcher at Kaspersky Lab, which provides Internet security products and services. This is known as phishing. Unsuspecting users then click on links that allow malware to be downloaded on to computers.
Mustafa Rassiwala, a cybersecurity expert, said the suspicious emails can appear like legitimate requests for information.
" 'We have some problems with your account and I need to get access to your Social Security number, and your address' ... a lot of consumers unknowingly hand over this information," said Rassiwala, senior director of product management at cybersecurity company ThreatMetrix, which specializes is user authentication.
To clarify, the IRS will never send you any electronic communication, including emails and text messages, which ask for personal information. The IRS also advises if you get a suspicious email, you should not reply, click on links or open attachments. Instead, report suspicious emails to the IRS by forwarding them to firstname.lastname@example.org.
Protect your personal information
Beyond diving into suspicious-looking emails, there are additional steps you can take to protect personal information and prevent fraud.
For example, taxpayers should use a different password for tax filing than passwords to access other online accounts, Rassiwala said.
Don't file your taxes at public places including Starbucks. While many cafes offer free Wi-Fi, the connection could be intercepted by cybercriminals, according to Rassiwala. Instead, only file taxes from your home network, said Kaspersky Lab's Schouwenberg.
Also beware of social networking sites, where cybercriminals also lurk. "Now it's all about cybercriminals sitting in the comforts of their home and collecting this information that's freely available on social media sites," Rassiwala said. For example, if a cybercriminal sees children in your profile picture, they know to file for dependents if they're purporting to be you.
Watch out for cyberbreaches
Fraudulent e-filing is part of a broader problem of identity theft, which is growing. According to the Identity Theft Resource Center, more than 624 million records of personal information have been stolen since it began keeping track in 2005. This includes recent, high-profile breaches at Target, Sony and Living Social, an online deal site. Cybercriminals collect personal information--Social Security numbers, addresses and dates of birth--to file fraudulent tax returns.
Compounding the problem of data breaches, the IRS may have trouble authenticating users, Rassiwala said.
But in an email to CNBC, the IRS said processing improvements have been implemented for the current filing season.
The silver lining
E-filing taxes isn't all bad news. Unlike traditional paper filing, cyberthieves can leave behind digital clues for investigators when filing online. Digital records, for example, can telegraph Internet Protocol, or IP, addresses associated with computers and other devices.
Said Rassiwala, "If you have a user who is filing with the home address supposedly based in Florida and your IP address is coming from somewhere outside the United States, especially from countries that have been known to have fraudulent activities in the past, that should raise a red flag."
If you believe you are the victim of identity theft contact the IRS Identity Protection Specialized Unit at 800-908-4490, extension 245.