[Update] – With the multi-round Coronavirus stimulus relief payments being paid out based on past year(s) tax return data (or SSI payment data), there has been a spike in emails, text and telephone scams where criminals are purporting to be from the IRS or Treasury asking for you to provide SSN and payment (bank) details. This is to enable them to get this information to intercept your payments or as a way to get this information to enable even broader financial data scams.
Those who are desperate for this payment, or haven’t filed a return of late or have had banking or filing details change over the last 2 years are especially susceptible to this scam.
So please be aware of this and never hand out personal or payment information unless a trusted source. And if in doubt double check authenticy before providing this information. And to reiterate, government agencies will never ask you to confirm your personal or banking details by email, phone or text message, or demand a “processing fee” to obtain or expedite your stimulus payment.
Social Engineering is when attackers manipulate people into giving confidential information. An attacker using social engineering is trying to get information such as bank account information, social security number, usernames or passwords. This method is used because it is easier to exploit a person’s natural inclination to trust than to hack their password.
Three common types of social engineering are Phishing, Vishing, and SMishing. Be suspicious of emails or individuals asking for credentials, as well as emails or links, asking you to take action immediately. Phishing emails make you feel like if you do not take action you will lose something of value or it will adversely affect you. If someone with privileged access were to fall for a phishing email and the link was clicked and/or credentials were provided, it has now exposed Workday to an attacker who once in Workday will do whatever they can to cause damage whether reputationally or monetarily.
Pishing also does not just occur via email. Often people will use voice phishing also known as vishing over the phone to obtain information. Someone may try to vish you over the phone to gain access to sensitive or confidential data. Where feasible, please find a reasonable method to verify the person you are talking to. With the high usage of cell phones in today’s world, Smishing is on the rise. This uses a text message or SMS to your cell phone with a link and little additional information. Once you put your finger on the link to open it up, it could begin compromising your phone and your accounts attached to your phone without you even knowing.
I recently received an email from the IRS as shown in the screen shot below. Do you think it looks real? I did and for a minute I was about to do as it instructed – provide my social security and bank account details. Then I thought why would the IRS be asking me to do this if I had already provided it in my tax return. Luckily I took the time to check the real IRS website, and found that this “phishing” email is part of a far reaching identity theft scam to get your personal financial information.
An e-mail claiming to come from the IRS about the “Economic Stimulus Refund” tells recipients to click on a link to fill out a form, apparently for direct deposit of the payment into their bank account. This appears to be an identity theft scheme to obtain recipients’ personal and financial information so the scammers can clean out their victims’ financial accounts. In reality, taxpayers do not have to fill out a separate form to get a stimulus payment or have it directly deposited; all they had to do was file a tax return and provide direct deposit information on the return.
I receive a number of scam and identity theft type emails every month but most of them are pretty obvious and automatically end up in my junk email. This one came directly to my in box, looked quite genuine and the timing is also very good. It plays to the basic human emotion of greed and a way to get the stimulus money sooner for a lot of families eagerly awaiting these funds. Unfortunately, I think a number of people are going to get caught out by this hoax.
People whose identities have been stolen through scams like this can spend months or years — and their hard-earned money — cleaning up the mess thieves have made of their reputations and credit records. In the meantime, victims may lose job opportunities, may be refused loans, education, housing or cars, or even get arrested for crimes they didn’t commit.
My rule is to always be wary of emails or phone calls that ask for personal and/or financial information. If in doubt check with the real provider. Never give out identifying information to sources you don’t trust and check your credit history regularly.