Taxed Not Hacked: Preparing for the Risks this Tax Season

Share this blog

The U.S. tax filing deadline this year is April 18, which is roughly 3 more weeks of open season for hackers looking to scam taxpayers. We have been warned of tax scams in the past, but the pandemic has forced consumers and businesses to reconsider how they file their taxes due to rising cybersecurity concerns. In 2022, the IRS reported that approximately 155 million tax returns were filed online. While online filing options have been available for years, mobile applications are making it easier than ever for taxpayers to file their returns–often in a matter of minutes.

With mobile apps, users can snap a picture of their W-2s and go through prompts to confirm income and personal information, review their deductions, and file directly from their phone or tablet. In the days leading up to the April 18th deadline, malicious actors will attempt to exploit the tremendous amount of sensitive data shared online during tax season (tax ID numbers, employee records, social security numbers, banking information, etc.) and the increase in tax filing via mobile apps that has opened up many new potential vulnerabilities.

Are You Using the Same Tax Filing App That You Used Last Year?

There are several ways that malicious actors leverage app security flaws to intercept data or redirect information and payments. In recent years, fake mobile applications have become a prime threat vector for financial fraud and identity theft. A common tactic that malicious actors employ is to download legitimate applications and then reverse engineer the source code. That code is then used to create fake versions of the application that look identical to the original but contain malicious code that can bypass security controls, steal information, and spy on the mobile device activity. The fake apps are then promoted or advertised on websites, blogs, and social media for taxpayers to download from third-party app stores. More times than not, they are not usually available through legitimate device-centric app stores.

Beware of IRS Smishing Scams

“Smishing” is another commonly used technique cybercriminals rely on during tax season to trick users into clicking a link sent via text message. These texts may include messages stating you must call the IRS or that there is an issue with your tax return. When you click on a link in a fraudulent text, you might be redirected to a page that imitates the IRS login page asking you to create an account. Additionally, fake links can download harmful code or redirect users to fraudulent tax filing applications. These are attempts to gather sensitive personal information from taxpayers, such as social security numbers, email addresses, passwords, phone numbers, or payment information.

It is important to note that the IRS will never initiate contact with taxpayers through email, text messages, or social media channels to request personal or financial information.

Human Resources and Tax Professionals Are Prime Targets

HR departments need to be on high alert during tax season. Soliciting W-2 information from payroll and human resources departments through phishing is a common practice leveraged by cybercriminals. Detecting phishing red flags may be easier on a work computer or laptop than on a mobile device, which has a smaller screen.

Similarly, tax professionals are also frequently targeted by scams. It’s imperative for tax preparers to make securing data a top priority, regardless of whether they’re part of a major accounting firm or the owner of a one-person storefront. Understanding the requirements and penalties for not safeguarding a client’s tax identification number and personally identifiable information (PII) is a great place to start. Securing traditional endpoints such as laptops or computers, networks, and servers can help detect and respond to bad actors trying to gain access to client data.

However, securing mobile devices from device attacks, malicious networks, phishing attempts, and malware found in mobile applications is critical when conducting business with clients. A Mobile Threat Defense (MTD) solution leverages various techniques, such as behavioral analysis, to counter mobile threats, conduct application vetting, and provide ongoing protection against mobile threats.

How Can Zimperium Help

Organizations that need to secure their mobile applications at tax time will find the Zimperium Mobile Application Protection Suite (MAPS) very helpful in a number of ways:

  • zScan: Discover and fix compliance, privacy, and security issues within the development process before you publicly release your apps.
  • zKeyBox: Protect confidential data by securing cryptographic keys with white-box cryptography so they cannot be discovered, extracted, or manipulated.
  • zShield: Harden and protect the app with advanced obfuscation and anti-tampering functionality to protect the source code, intellectual property (IP), and data within the application.
  • zDefend: Enable the mobile application to detect and proactively protect itself by taking actions on the end user’s device, even without network connectivity.

Zimperium Mobile Threat Defense (MTD) -formerly zIPS- is the only on-device solution to protect your organization and employees from the top tax scams. Zimperium MTD continuously monitors mobile threats (device compromises, network attacks, malicious apps, and phishing) and performs in-depth scanning of mobile apps for privacy and security risks. By leveraging contextual intelligence and on-device controls, security teams can gain insight into never before seen threats and telemetry.

Ensuring Resident Safety with Zimperium

Large cities like Los Angeles, New York City, Dallas, and the State of Michigan have teamed up with Zimperium to provide a turnkey mobile application that protects residents from top tax scams. The good news is that taxpayers can take steps to safeguard their devices and data this tax season. Zimperium solutions protect Android and iOS mobile devices against critical threats. These solutions can alert users when their devices are connecting to unsecured Wi-Fi networks, running unsafe apps in Android or iOS, getting exposed to system tampering, and more.

If risky behavior is detected, users will receive recommendations on what actions to take to keep their devices safe. Zimperium solutions never collect personal information from mobile devices; they only gather the threat information needed to protect a user’s phones and tablets from cybercrime like tax scams.

Zimperium has a variety of solutions to protect your mobile tax application, employees, and residents filing their taxes from cybercrime during tax season. For more information on how Zimperium MTD (zIPS) or Zimperium Mobile Application Protection Suite (MAPS) can help, contact us today.

Avatar photo
Mobile Device Security Expert. View the author's experience and accomplishments on LinkedIn.

Get started with Zimperium today