Skip to content ↓ | Skip to navigation ↓

These days, consumers are constantly being pushed to move away from paper correspondence and communication to an electronic alternative. Every time I sign into my bank account, I’m reminded of my option to forego the physical receipt of my monthly statement and go paperless.

While the benefits of going paperless are clear to both businesses and consumers, should we stop to consider whether the security of this option has kept up with our rapid adoption of it?

The Security Concerns Surrounding e-Filing

Tax season is upon us, and with it has come an endless number of e-filing vendors that are vying for our attention as they taut their quick and painless process of filing taxes online.

Even with the promised ease with which we can file our taxes online, we still dread the process of spending hours gathering necessary documents only to end up parting ways with our hard-earned cash. And those who forego the simple tax return and opt for an itemized return will be spending even more time.

But as I type this, cybercriminal miscreants are salivating at the treasure trove of sensitive and highly valuable data that will be uploaded to these e-filing cloud services.

Cyber security research backs this up – in early February, the Online Trust Alliance (OTA) completed an audit of the 13 e-filing vendors that received the approval of the IRS in a contractual agreement. The results were not pretty.

This year, over 120 million tax returns will be filed electronically based on IRS predictions. What awaits them is a gauntlet thrown out by cybercriminals for which the vast majority of tax filers are unprepared for.

Cybercriminals have become evermore creative and sophisticated in scamming tax filers. Though identity theft is the most obvious type of cybercrime consumers may face, it’s hardly the only the one. According to the OTA, between January 2015 and November 2015, the IRS blocked $8 billion in fraudulent individual tax returns. One suspects this is just the tip of the iceberg.

Bogus and fraudulent tax e-filing sites that use off-shore accounts to steal personally identifiable information while redirecting the funds to a different bank account owned by the cybercriminals are on the rise. Indeed, the OTA discovered more than 400 fraudulent tax-related web domains that were registered just last year alone.

While the unsuspecting filer receives confirmation from IRS that the tax return was received, the thieves work on the backend to change the bank account and routing number before submission to the IRS, so that the funds never make it to its rightful owner. In most cases, the IRS has no means of detecting this type of fraud – the cruelest part being that often times senior citizens are the target of cyber criminals.

Phishing emails also tend to rise in frequency during this time of the year. While they are always a reliable source of data breaches, phishing attacks have hit an all-time high this tax season; once again, the primary targets are senior citizens.

One of the most troubling findings of the report is how vulnerable the IRS is to cyber attacks. According to the Wall Street Journal, at the beginning of 2016, IRS reported that it had noticed attempts to obtain e-filing PIN numbers associated with some 464,000 unique Social Security Numbers. Of those, 101,000 attempts were successful.

In 2015, 300,000 taxpayers had their tax returns stolen, along with all the personal information that was included in those returns.

As consumer-facing cloud services, the 13 IRS-approved e-filing vendors lagged far behind in security when compared to business-to-business cloud services. The most popular enterprise cloud service is Office 365. (The security capabilities Microsoft has built into it is miles ahead of the typical consumer-facing cloud service.)

The accepted email authentication systems of today include Sender Policy Framework (SPF) and Domain Keys Identified Mail (DKIM), which allow a recipient to authenticate the sender. Transport Layer Security (TLS), available in Office 365, encrypts emails in transit between mail servers to prevent unauthorized individuals from reading the emails.

Unfortunately, four out of the 13 e-filing sites didn’t have any email authentication protocols, leaving the door open for cybercriminals to spoof the email domain and launch a phishing attack.

When it came to encrypting web sessions, only 54 percent of the websites were employing “Always On SSL,” which starts with the site-wide use of HTTPS but also entails setting the secure flag for all session cookies to prevent their contents from being sent over unencrypted HTTP connections.

Below are some tips to keep you safe during this tax filing season:

  1. The IRS (or any other reputable organization for that matter) will never call you, email you, or send you text messages asking for personal information. If you do get such requests, assume it’s a cybercriminal looking to steal your information.
  2. Never share your Social Security number without asking why it’s needed. When in doubt, be skeptical.
  3. When you’re finished e-filing, log out of the service and close your browser window.
  4. Do not, under any circumstance, do your taxes while connected to a public or open Wi-Fi network.
  5. Only use an e-file vendor that uses Extended Validation SSL Certification. An easy way to tell this is by looking for the the green highlight near the box where the URL is inputted.
  6. If you’re using the same vendor that you used last year, make sure you change your password to the service this time around. Use a strong password that doesn’t use any words found in the dictionary, and if the vendor provides it, turn on multi-factor authentication.


Sekhar SarukkaiAbout the Author: Sekhar Sarukkai is a Co-Founder and the Chief Scientist at Skyhigh Networks, driving future innovations and technologies in cloud security. He brings more than 20 years of experience in enterprise networking, security, and cloud service development.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.

Title image courtesy of ShutterStock