[music]
Wendy Battles: Welcome to the Bee Cyber Fit Podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyberspeak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.
James Tucciarone: And I'm James Tucciarone. Together, we're part of Yale University's Information Security Policy and Awareness Team. Our department works behind the scenes to support Yale's mission of teaching, learning, and scholarly research.
Wendy Battles: Ready to get cyber fit with us?
Hey, everyone. Welcome to another episode of the Bee Cyber Fit Podcast. We are very psyched you're here. If you're a new listener, we are pleased to welcome you. This is the place to come for information and inspiration to stay safe online and outsmart scammers. This podcast is one of the many tools in our toolkit that we use at Yale University to help our faculty, staff, and students to build their cyber muscles.
Whether you're a part of our Yale community or you may have found the podcast in other ways, we love that you're listening. Today, we've got a timely episode for you about tax scams and how you and your loved ones can steer clear of them this tax season. James, is it just me, or is doing taxes one of the things you dislike doing most?
James Tucciarone: Well, Wendy, I'm probably the odd one out because I actually kind of do like doing my taxes. I don't know if it's the math that's involved or just the structure of the process, but as long as I don't owe any money, I typically enjoy it at least a little bit.
Wendy Battles: Wow. Well, I cannot say that. And I typically owe money, which is probably why I'm procrastinating. And I'm guessing I'm not the only one. So, I wait often really close to the due date. But maybe things will be different this year.
James Tucciarone: Wendy, I'm sure you're not alone, and there's actually some compelling cybersecurity reasons why you should file your taxes as early as possible.
Wendy Battles: You are right about that, James. And maybe after our discussion today, it will prompt me to get into the action a little sooner.
James Tucciarone: And hopefully we'll also inspire some of our listeners to do the same with the information that we're sharing today, we're going to be discussing a compelling tax scam that's really eye-opening. We have some of the top scam lines that are often used by cybercriminals. We're also going to be sharing some red flags to be on the lookout for and three simple calls to action to help you avoid these types of scams. And of course, we'll also have our buzzword of the day.
Wendy Battles: Oh, let's find out what that buzzword of the day is.
James Tucciarone: Phishing is typically when cybercriminals send a fraudulent message to a large group and hope the unsuspecting few will take the bait. But did you know there's an even more nefarious tactic called spear phishing? Stay tuned to find out what happens when cybercriminals focus their attention and hone in on individuals and organizations.
Wendy Battles: James, I want to kick off this portion of the podcast by sharing a tax scam story. And in this case, it involves a college student. But of course, any of us could be a victim of a scam like this. Usually, scams involving taxes begin with a phone call to the potential victim. Often, they're claiming that back taxes are owed and that there's a penalty if they don't pay within a certain period of time. Often, it might be something like, we will arrest you if you do not pay these back taxes.
In this story, Jackie, who is a 19-year-old college student, was home for the summer. The phone rang, and the caller reached out. She said it seemed pretty credible, but he actually initially asked to talk to someone named Shelby. Well, she told him he must have the wrong person because her name was, in fact, Jackie. And then the caller said, "Oh, I meant Jackie. I'm actually calling for you, Jackie." And then the caller proceeded to tell Jackie that she owed back taxes, and just as I mentioned, that she was subject to arrest. James, what do you think about that?
James Tucciarone: So, the first thing that stands out for me is probably pretty obvious and that's that the caller called for somebody else.
Wendy Battles: I know, right?
James Tucciarone: Yeah. And why would the IRS be confused about who they're calling?
Wendy Battles: Yeah.
James Tucciarone: Second, the IRS typically initiates contact via standard mail and not via a phone call.
Wendy Battles: So, James, you are absolutely right. Something about that is suspect from the start. Here's what happened next. The caller provides her with addresses for drugstores that are near her home and tells her to purchase gift cards in varying amounts and then provide him with the gift card numbers. And also, at no time was she supposed to hang up or tell anyone what she was doing. That's a very typical ploy. At one point, the cashier asked Jackie if everything was okay because she sensed something was wrong. But convinced of the scammer's power and authority over her, Jackie told the cashier she was just chatting with a friend. So, you can see how the influence of that scammer and that threat can make people do things they might not ordinarily do. Would you agree with that, James?
James Tucciarone: I definitely would agree with that. And I think that there's a couple of really common things that we're seeing here. So, first off, we see that there is the request to buy gift cards. And we know that that is a very common way for these criminals to try to get funds or get money from us. I do love the fact that the store clerk made an inquiry about what was going on. I think that we should have more of that. I mean, it's not typical that somebody's coming into a store buying hundreds or thousands of dollars worth of gift cards. And so, I love that this clerk did check in and it does go in line with what we're going to talk about next, which is the common scripts if you will that bad actors use when they're trying to reach out to victims. This is actually from an article from NerdWallet and it's on spotting and avoiding IRS scams.
One of the lines that really stood out for me was “this is the Bureau of Tax Enforcement and we're putting a lien or levy on your assets.” This is very similar to what happened to Jackie. Somebody reached out and said that she owed back taxes. Maybe they weren't putting a lien or levy on their assets, but still, they were looking for money. And the key with this one is that there is no Bureau of Tax Enforcement. And so, victims will often be contacted from this fake agency claiming that they owe money and that they're going to have some enforcement put against them.
Another one that goes hand in hand with Jackie's story is if you don't call us back, you'll be arrested. And cybercriminals love to use that because just like you were talking about sort of our reactions, our emotions, that fear is going to drive a lot of people to react, I mean, if you're told that you're going to be arrested, you're going to, in most cases be worried. This is also compounded because cybercriminals can make their caller IDs look like the call is coming from somewhere more legitimate. So, they can actually be really tricky.
And then the last one I wanted to share was, click here to see some details about your tax refund, which I'm sure we all want to do. Well, maybe not you, Wendy, if you normally have to owe. But you know if I'm expecting some money back, I want to know what's going on with my tax refund. And I think a lot of people, especially how we always talk about these phishing emails are so complex and so believable, people might very easily believe that this email is actually coming from a legitimate source, and they want to know about their tax refund. So, yeah, I think that there's some common tactics that were displayed in this particular example, and Wendy, I think you're also going to share some red flags with us to keep an eye out for as well.
Wendy Battles: I am. Before I do that, I want to talk a little bit about what you said, James, because I had read an article that said that when scammers call and they want to call back, that about 75% of the people call back and complain or curse them out and say, why are you doing this? But that 20% to 25% of people actually believe it and they call back because they're scared. This tactic they use where they are holding something over you, whether it's arrest or some kind of a levy or a lien on your house, for some people, they hear that and they're fearful. And that's compelling. It's compelling enough for them to comply.
So, there often is this relationship with authority that people may have as a very individual thing, but some people have more of a compliance personality and they hear this person on the other end and they take it really seriously. They think it's a threat. Maybe there are other things that might tell them, "Mm, something suspicious," but in their logical mind, they think they better take action. So, I think that's one thing that we can see going on.
The other thing I'll just mention, which I know we've talked about before in other cases, is this whole gift card thing. If they're asking for you to pay by gift card, no one's going to ever ask you to pay your taxes by gift card. Even if you have back taxes, the IRS does not want you to pay in gift cards. So, that alone should always be a big question mark. I know so often, especially older people are scammed by the gift card thing, just being aware of that for ourselves and also for our families, so a couple of points.
James Tucciarone: And you know Wendy, I'm so glad you brought those up and I just wanted to circle back around to your first point about people calling back these numbers. And we've said it before and I feel like this is a great time to just say it again. Don't use a number from a message that you're not familiar with. Always go to the source and try to look up the number. So, if the "IRS" is asking you to call them back, maybe the best idea is to actually look up the official IRS number or the number for the department that you're looking for rather than just calling back a number that you got in a random voicemail or a random email.
Wendy Battles: I love that idea. It makes so much sense. So, being suspect, being suspicious, questioning things instead of just accepting them. If something seems a little off are all helpful things that we can all do to be a little more prepared, that kind of thing. So, yes, so there's a lot of things we can do. Now, let me share some red flags. Here are five of them that will tell you something about this is not right and I should be suspicious. So, number one is what we've been talking about. They call you first, as we said, typical way for the IRS to reach out is in a very formal letter. There often is an official number on that letter, so they're not going to be contacting you first, by telephone.
Second, you should be suspect if they leave a prerecorded voicemail. What we just were talking about that sometimes they leave a voicemail and people actually do call them back, but the IRS is not going to be doing that either. So, no voicemails, especially if it sounds prerecorded, if it sounds urgent, if it's threatening, I've gotten those calls before, those robocalls before James, I bet you have too and many other people listening, always be suspect of that.
They're also not going to email you. They're not going to initiate contact with taxpayers by email. And so, that again is suspect. In that case, as you mentioned before in the email, it may have attachments or links again, be suspicious of that, do not click on them. The official website of the IRS is irs.gov. But if it's something that seems remotely familiar, like irs.com or irs.net, if the email address is something like that, again be suspect. It should only be officially irs.gov. But again, they are not going to be reaching out to you via email.
They're also not texting you and they're also not reaching out to you via social media. So, all of those ways that they may contact you; phone call, recorded message, email, text message, via social media. I mean, really, is the IRS really going to reach out to you via Facebook? I don't think so. So, always be suspect and be aware of those really glaring red flags. So, with that, now that you are well-schooled in common scam lines and also the big five red flags, let's talk about our buzzword of the day.
James Tucciarone: Here's the buzz on the phishing tactic called spear phishing. Unlike a typical phishing attack that tends to be generic and target a large swath of people, spear phishing targets specific individuals and organizations. Cybercriminals will investigate their targets to make the attack appear more authentic and appear to come from a trusted source. Now, spear phishing attacks can be much more difficult to identify because they're highly personalized, based on previously gathered and publicly available information. And there's no shortage of public information available. Social media and websites can offer glimpses into an organization's community, events, and culture.
A publicly available directory would make it easy to identify individuals and their work roles. Even an out-of-office message could provide details about how an organization formats their emails and signature lines. The goal of spear phishing is the same as with any other cyberattack. Scammers want to trick us into revealing our account and access credentials, installing malware on our devices, or giving up confidential information.
Here's the good news for the Yale community. Yale's information security office prevents millions of phishing attacks every month. And experts agree that security awareness training is a key defense against spear phishing. So, by being involved in Yale's cybersecurity awareness program and listening to the Bee Cyber Fit podcast, you're already ahead of the game.
And here's even more good news. The tips to avoid spear phishing are pretty much the same as the tips to avoid phishing. Be wary of unsuspected or unsolicited emails. Use caution if ever responding and as always, don't click any links or open any attachments. Make sure the sender is who they say they are, and be sure to validate the sender's email address for any suspicious emails. Finally, power up your passwords. Use strong passwords and passphrases. Add multifactor authentication wherever possible and don't reuse passwords across accounts. And don't forget to keep listening to the Bee Cyber Fit podcast, where we make it easy to be aware, to be prepared, and to be a step ahead of bad actors.
Wendy Battles: We've told you about spear phishing. As you just heard, we've talked all about tax scams. Now it's time for some calls to action. Number one, we encourage you to get an identity protection PIN. Think of it as multifactor authentication for doing your taxes. It's a code that's unique to you. It's an added layer of security that only you will know. Number two, we encourage you to read our March Cybersecurity Awareness Tip, which is all about avoiding tax scams. We have some other tips in there for you, helpful information. It's information you can also forward on to other people in your life. And number three, if you found this episode helpful, especially as we think about tax season and what not to do, please share it widely with people you care about. Let them know what you know and let's all work together to stay safe online and free of scammers.
James Tucciarone: Those are definitely some great tips, Wendy.
That's all the time that we have for this episode. So, until next time, as always, I'm here with Wendy Battles and I'm James Tucciarone. We'd like to thank everyone who helps make this podcast possible. And we'd like to thank Yale University where this podcast is produced and recorded.
Wendy Battles: Thank you so much for listening. We hope you found value in how to stay safe online. And remember, it only takes simple steps to be cyber fit.
[Transcript provided by SpeechDocs Podcast Transcription]