“Email compromise is the most common method we’ve seen fraudsters use to target our clients,” says Sean Hegarty, J.P. Morgan’s Head of Fraud Management for the Asset Management team. “Fraud can also occur via texts, social media or phone calls that urge someone to download malware or provide confidential information.”
Email compromise and tax data security
Email compromise occurs when an online fraudster hacks into someone’s email account (often because of an easily hacked password) to collect information and build an in-depth profile about him or her. Cybercriminals steal any tax-related information they can find and use it to file fraudulent tax returns—in order to collect your refund—or apply for financial products in your name.
“Fraudsters use the information they steal to socially engineer the victim,” Mr. Hegarty says. “The person may act on the fraudster’s instructions without realizing — until it is too late.”
Fortunately, you have three key ways to protect your tax information and other critical data:
- Create strong, unique passwords for all online accounts, particularly for financial and tax-preparation websites, and if you file your taxes online, always be sure of a secure connection (i.e., hyperlinks that start with “https://”).
- Set up multi-factor authentication whenever possible, especially on banking sites and email. Multi-factor authentication means using more than one method to verify your identity—your user ID and password plus something you have (e.g., a security code texted to you) and something you are (e.g., a fingerprint or iris scan).
- Make sure any tax-preparation services you use have robust cybersecurity protocols in place to keep your data safe.
How to recognize “social engineering”
When fraudsters abuse a person’s natural willingness to be helpful and trust others, that’s called “social engineering.” It can take numerous forms, but its goal is to trick you into giving away personal or financial information that can be used to impersonate and manipulate you into revealing more.
“A fraudster will pose as someone trustworthy—such as an IRS or bank representative—and request your personal data in order to gain access to your accounts,” Mr. Hegarty says. “That personal data can also be used to trick you into revealing more, until fraudsters have stolen your identity and file taxes under your name, collecting your refund.”
Keep in mind that most tax authorities will contact you via mail and not by phone or email.
A specific kind of social engineering, called “phishing,” uses fake emails to trick a person into giving up personal information through links, malware or viruses. For example, a fraudster posing as a representative from a company you know emails you to ask for personal or financial information to help “resolve” a fake tax matter and supplies a link (to a fake site) that you can use to fix the problem.
Key tactics for protecting against fraud
“Never forget that everyone is a target of fraud,” Mr. Hegarty says. “If something just doesn’t seem right, trust your instincts and check it.”
Some key indicators of fraud that people often overlook are:
- Unfamiliar activity in credit, debit or bank accounts, including receiving credit cards you have not signed up for or seeing a drastic change in your credit score.
- Missing or delayed mail, which might indicate your mail is being stolen or redirected.
- Unusual tax returns with the wrong information; fraudsters have filed taxes on a victim’s behalf and then collected his or her tax refund.
- Financial matters directed to your child, including bills in your child’s name and tax notifications about his or her “unpaid taxes.”
What to do if you get hacked
If you are in the U.S. and you think your personal data is compromised, take these five steps as quickly as possible:
- Call all the major credit agencies to establish a fraud alert and a credit freeze, if necessary, and to request a copy of your credit report.
- Call the companies where you believe any fraud occurred and alert any financial institutions with whom you do business, including J.P. Morgan (a J.P. Morgan representative can help guide your through appropriate safeguarding measures).
- Use an uncompromised device to change the logins, passwords and PINs for all your accounts.
- Report the theft to the Social Security Administration and the Internal Revenue Service.
- File an identity theft affidavit with the Federal Trade Commission (FTC) and file a police report with your local police department.
Outside of the U.S., look for direction from your government or local organizations and follow their guidelines for protecting your identity and reporting the theft.
“At JPMorgan Chase & Co., cybersecurity is a priority across the firm, but vigilance is a shared responsibility,” Mr. Hegarty says. “We have a robust set of cybersecurity educational materials and client programs, but you must take continual preventative physical and cyber measures to protect yourself.”
This information is provided for educational and informational purposes only and is not intended, nor should it be relied upon, to address every aspect of the subject discussed herein. The information provided in this document is intended to help clients protect themselves from cyber fraud. It does not provide a comprehensive listing of all types of cyber fraud activities and it does not identify all types of cybersecurity best practices. You, your company or organization is responsible for determining how to best protect itself against cyber fraud activities and for selecting the cybersecurity best practices that are most appropriate to your needs. Any reproduction, retransmission, dissemination or other unauthorized use of this document or the information contained herein by any person or entity is strictly prohibited.