The IRS hack: Beware of follow-up scams
The drill should be familiar by now: A company or government agency -- like the IRS -- announces it's been hacked.
Next thing you know, scamsters strike again. This time, they pretend to be the breached entity offering to help people clean up the mess, while in reality they're stealing more personal information.
Here's what you need to know: The IRS will not call or email you if you're among the 200,000 people whose information has been compromised. You'll get a letter from the agency instead.
The IRS said Tuesday that thieves knew enough personal information, such as Social Security numbers and the answers to security questions, to get online access to tax information for more than 100,000 people. In another 100,000 cases, the thieves were unsuccessful in accessing data from an IRS service called "Get Transcript."
The criminals "gained sufficient information from an outside source" to crack a multistep verification process that requires knowing Social Security numbers, birth dates, tax-filing status and street address, the IRS said in a statement. The thieves also had to know "several personal identity verification questions that typically are only known by the taxpayer" to gain access to tax return information.
In reality, the answers to such questions -- previous addresses, phone numbers or the amount of a mortgage -- are widely available on the black market, just like Social Security numbers. Security experts have known for years that the authentication questions financial institutions and the government commonly use are flawed.
"Anyone that's in this business knows that the criminals are getting in, and the good guys are being kept out," said security expert Avivah Litan, an analyst with Gartner Research. "Ten to 15 percent of legitimate customers fail (the security questions) ... that's a lot of friction in the system."
The thieves initially used the tax information to steal tax refunds, but they can go on to get loans and impersonate the victims in other transactions, Litan said.
Aaron Blau, a certified public accountant and enrolled agent in Tempe, Arizona, said he suspects the thieves will use the IRS information to bolster their attempts to impersonate IRS officers who call and threaten jail or lawsuits to people who don't send them money.
"That's already pretty rampant," Blau said. "Now they're going to have additional information, like the actual balance owed."
Other bad guys likely will try to get in on the action by impersonating the IRS through phone calls or emails. After the Anthem (ANTM) health insurance breach exposed personal information of 80 million customers, scam artists sent out emails offering credit monitoring that actually were attempts to steal Social Security numbers and other private information.
"For sure, they'll take advantage of this," Litan said.
The taxpayers whose returns were compromised will be offered free credit monitoring. If the thieves attempted to access a return but failed, the affected taxpayers won't be offered credit monitoring but will be notified of the attempted hack so that they know someone has gained access to their Social Security number and other sensitive information.
It's important to understand that the thieves had these Social Security numbers and other personal information before the hacks -- they didn't get it from the IRS, Blau said.
The affected people need to know their information is being sold on the black market so they can take steps to protect themselves, such as putting fraud alerts or security freezes on their credit reports, monitoring bank and credit accounts, and responding immediately to any legitimate IRS notice (which, again, will be mailed, not emailed or relayed in a phone call).
Said Litan: "You'll have to be really, really vigilant."