Ep. 23 | How to Avoid Tax Scams

Show Notes

Tax season is more than a calendar event; it's a predictable cycle cybercriminals exploit. And for high-net-worth individuals, that risk is amplified. In fact, the IRS flagged 2.1 million returns in 2025 as being potential identity theft. Join BlackCloak's Kerry Tary as she discusses today's common tax scams and how to prevent them. 

If you're interested in learning more, you can request a demo with BlackCloak here, or visit the BlackCloak website. 

Transcript

SPEAKER_00 0:10

Welcome to Uncloaked, a podcast series brought to you by Black Cloak, the pioneer in digital executive protection and leader in personal concierge cybersecurity. I'm Dan Basco, and today we're discussing tax season scams to be on the lookout for. Joining me for this discussion today is Kerry Terry, Senior Account Executive here at Black Cloak. Carrie, thank you so much for being here.

SPEAKER_01 0:33

Thanks for having me, Dan. I'm I'm really excited.

SPEAKER_00 0:36

It's a pleasure to have you here on the show. And uh you deal a lot with uh clients on a daily basis, and uh of course speak to uh potential clients as well. And you know, obviously it's this time of year where we're talking about a lot of individuals preparing for their tax refunds, or uh even for those that are deferring to the fall, uh, these are kind of tax scams, of course, that can be year-round. But of course, uh here with April fast approaching, it's a uh a relevant topic to dive into. So, you know, we hear that tax season's stressful for everyone, but for the high net worth individuals and the family offices that uh we work with here at Black Cloak, the stakes do seem significantly higher. Why does preparing your taxes, why does that season in general add so much risk for them specifically?

SPEAKER_01 1:28

Sure. Well, and we certainly do have a lot of, you know, high net worth individuals and families who come to Black Cloak. One of the reasons is they went to go file their taxes and they found out that somebody already filed using their their information. So it's kind of a um a realization, so to speak, that okay, maybe I have something bigger going on that I should address. And they they look to Black Cloak to help kind of assess the situation and put some safeguards in place. But to answer your question, really, when you think about um tax time, you know, it really centralizes a lot of sensitive sensitive personal information and financial data into a very narrow window, which is really uh, you know, a gold mine for cyber criminals who rely on urgency and and known relationships to bypass standard caution. A lot of times these people are sending documents containing sensitive information back and forth with their accountants and and other people in their inner circle, which really makes it a good time for someone to try to pop an email and get that access to that information before then, you know, trying to commit some sort of financial fraud.

SPEAKER_00 2:32

Yeah, and that kind of brings it full circle to the realization that you're entrusting a lot of your data and information uh to other individuals. So it's super important that you have that trusted circle with you. So of course, when we talk about taxis and tax repairs, um, you know, many of these individuals already have their accountants that they trust. But for those, you know, who are are switching or bringing on a family office for the first time, that's the first step is making sure that you are trusting um those that you're bringing on board. To many nowadays, a simple IRS phone call, those scams are easy to spot, right? We kind of know we we brush it off, we we can recognize those pretty easily. But what are the more sophisticated, uh you can even call them ultra-luxury level scams uh like AI social engineering or compromised advisor emails that family offices should be watching out for?

SPEAKER_01 3:29

Yeah, absolutely. And and to your point, I like that term ultra-luxury level scam, but that's exactly right because the people that we bring on to Black Cloak, these are targeted attacks. These are very, you know, maybe sometimes high profile, or if they're a more under-the-radar family, but very high net worth, these families are really interesting targets for threat actors and cyber criminals. So we're really seeing a significant rise in impersonation attacks, leveraging deep fake technology. So, what this means is an attacker might use AI-generated audio to impersonate a trusted family member or someone in their inner circle in a voicemail. And what they're doing is they're trying to manipulate an assistant or somebody to make an urgent wire transfer. And, you know, sometimes kind of one of the common red flags with these types of scams are they these cyber criminals do such a good job of creating this sense of urgency. This must be done now or something really bad's going to happen. And I've heard our founder and CEO Chris Pearson talk about these threat actors make you move from the your left brain, your logical part, to the right brain. They make you stop your logical thinking and going through those, you know, checkpoints to make sure you're following the right procedure. And then your emotional takes over and you're like, oh, I better act fast or something bad's going to happen. So, in what I've just described, kind of that that urgency, but we also have a number of clients who come to us kind of experiencing what we call email compromise, where a threat actor can get a foothold into your email account and they sit in there for six months at a time. The average um cyber criminal can monitor a network for an average of 200 days, waiting for a liquidity event, like a large tax payment to strike, or maybe you're purchasing an expensive, you know, new home and they're waiting for for the wire to go out and they're going to intercept an email and say, hey, instead of sending the the wire to account123 at abc.com, send it to 678 at zxy.com. So those are the types of things that that we've seen. Um, another new vector we've seen is that there's been a really big uptick in targeted sim swapping attacks for ultra-high net worth individuals. Um I think most of us are familiar with the the dual factor um authentication form of SMS. So in order to get access to an account, you'll get a text message sent to you. You then have to enter the series of numbers into your to login to get into your account. Um, cyber criminals realize that. So they've begun hacking or social engineering their way into mobile carrier accounts. So think of your AT ⁇ T, T-Mobile, or Verizon account. And what they do once they're inside your account is they can swap your electronic SIM card so that when they try to access your bank account, they would get the dual factor code texted to their phone instead of your phone. So this is a really huge problem. And you can imagine the pain and time it takes to kind of undo some of these problems. Um, but there are things you can do to prevent this from happening. You can put a SIM lock on your account to lock down your electronic SIM card to prevent that from happening. But a really big thing that we're pushing and advocating our clients to do is using a dual factor authenticator application. There's dozens of different dual factor apps out there. There's Authi, Google Authenticator, Microsoft Authenticator. But it's important to use the authenticator app for your key accounts, like your financial accounts, social media accounts, your personal email account as well. A lot of people overlook the importance of locking down your personal email account. And when you think about it, that's really the the mecca of all of your connected accounts or go right to your email, right? So it's important to lock that down. And with this dual factor app, you need to have possession of your phone. It's like a garage door opener in order to access that particular account. So somebody couldn't, you know, hack into your account because they would physically have to have possession of your phone.

SPEAKER_00 7:32

Yeah, it's like another fail-safe in there. And you're right. I mean, the email is the epicenter of so much of your information. I mean, I think if you ask the average person to go and look through first, people don't do spring cleaning, so to speak, of their emails very often. They've just got uh email after email sitting there. And how many documents do we share back and forth in in an email account? And to your point, Cybercriminal could be sitting waiting in there just for that moment to strike. And so, yeah, it is about that due diligence. And the authenticator app is a good one too, because and we're seeing this even nowadays, uh, it's getting a lot better, but there are still a lot of accounts out there that you may have that don't offer authentication through an app, and that's unfortunate. Obviously, any authentication is going to be better than none. So you want to do two-factor authentication. If the app is available, it's a hundred percent the option to go. Because as you mentioned, it it's an extra layer of security than the typical uh SMS authentication. So, really important there. We talked a little bit about the urgency, the AI impersonations that can be used against individuals. Going off that a little bit more, how are criminals using social engineering today to trick even the most diligent staff? I mean, we're talking about household staffs and family offices that are obviously entrusted with a lot of information and they have a very important role to play in the principal's life. And even just for the individual themselves, you can be super diligent and still be a victim, unfortunately.

SPEAKER_01 9:01

Yes. Uh these cyber criminals and threat actors are really becoming more and more sophisticated. Their tactics are constantly changing. And it's really not that difficult for them to find, you know, information out there that can be used to social engineer their way into certain accounts and tricking these diligent staff members. So what they do is they leverage known relationships to create a sense of trust. This might involve something called spear phishing, where a highly customized email mentions a recent family vacation or a child's name to establish authenticity before asking for a confirmed identity or tax document. So that's another reason why it's important to kind of think twice before you share photos on social media. And if you are going to share photos, make sure you know everybody you're connected with. You know, make sure your friends lists are private and that your profile isn't public because cyber criminals can easily find all that information and use it for nefarious purposes. There's also something out there called data brokers or people finder websites. There's about 400 of these different websites out there that are perfectly legal. Um, and their job is to, you know, they make money off selling our data. The problem with these types of publicly available sites is that they're another, you know, source of information for threat actors and cyber criminals to find out personal information about us, like our names, our email addresses, our phone numbers, and even our relatives' names that can be used for nefarious purposes. So that information is like a gold mine for threat actors looking to socially engineer or trick their way into getting access into an account or device.

SPEAKER_00 10:38

Yeah, and once they're in, uh, they've got the keys to the kingdom at that point. So yeah, it is, it's kind of like a code red at that point, which is why it's really helpful to have a confident, dedicated support team uh behind you to be able to kind of address that right away. Um, we've been talking about family offices, household staffs. Uh, a lot of these ultra-high net worth individuals that we're talking about have people that are managing these accounts. What would you say is the non-negotiable rule that you give to household staff uh that they should implement today?

SPEAKER_01 11:13

That's a good question. I'd say that the number one non-negotiable rule is that no financial charges or sensitive information are to be shared without verbal verification. It's best to um, of course, like validate face to face if possible. Obviously, that's that's not always possible. Um, but we are seeing a lot of impersonations out there. And you you really can't trust a text message anymore. Um, it's best to pick up the phone, or even better to have some sort of like safe word that you can, you know, share to authenticate with the principals or the staff to verify that you know you are speaking to the person you think you're speaking to.

SPEAKER_00 11:52

That's a good one. Yeah. And you know, it's like we talk about with passwords too. Even if you have strong passwords, like we recommend changing them every so often, your home Wi-Fi being like a prime example, those phrases and code words probably worth changing uh every now and then as well. Yeah, just to shake it up. I mean, and and these I know these are like minor inconveniences to people sometimes. But I like in in your experience of talking with clients and everything, it it is about like finding that balance, right? Because people do want to be secure, but they also want to be very convenient. Once they understand maybe the extent to which they're giving up their security for ultra convenience, are you finding that they're more willing to, you know, find a better middle ground there when it comes to certain things, once they understand the full scope of the risk?

SPEAKER_01 12:39

I do. And I think up front it's a little bit overwhelming to hear about all of the different things Black Cloak can do. And I always tell people, you know, you can take the horse to water, but you know, you can't force them to drink it. And we can share and recommend certain things. And um it's up to the client or the the user to implement those, right? And some people are certainly stuck in the way that they're doing the things that they want to do a certain way, and that's fine. But, you know, maybe we we share the risks, make a recommendation, and then help them implement a best practice. But I do always tell people, Dan, that Black Cloak really does find a balance between cybersecurity and privacy, but also convenience. We're not here to make your life harder and mandate that you do certain things a certain way. We're just here to help guide our members and educate them. And at the end of the day, we're helping them build their castle walls high to prevent anything bad from happening, like like we're talking about today.

SPEAKER_00 13:33

Yeah, exactly. We we give them the tools that that they can implement themselves, but the trust that, hey, we've got all of this other stuff covered for you, right? So it's it is that peace of mind that they can go about their daily business and uh focus on what they need to focus on. We've talked a lot on the show about how overwhelming cybersecurity can be. It's a very complex topic and there's so many aspects of it. And you can't you can't expect the average individual or uh just really anybody that's not in the industry to be on top of all of the latest stuff. So that's why you bring on trusted individuals and services like Black Cloak so that we we can, you know, take on that burden.

SPEAKER_01 14:12

Absolutely. And uh nine out of ten times I speak to somebody and I ask them, you know, a prospect of ours, I ask them why they're interested in learning more about Black Cloak and how to improve their cybersecurity. And the number one thing they say is, look, I don't know what I don't know. I'm looking to engage with a firm like Black Cloak to tell me what I should do and help me implement these things.

SPEAKER_00 14:34

Absolutely. So on this topic of the taxis and scams, you know, there's there's obviously a lot of different ways it can manifest. It can lead obviously to just straight up identity theft. There can be the impersonations that we've talked about, these phishing emails uh that that are way more sophisticated than your traditional ones. Uh there, it's no longer can you necessarily see the misspellings as a key indicator. They are now really good. They they're the spellings are correct and and they're they're a lot more tricky to your point about finding maybe some details about the the personal life that they can then leverage. And we're also talking about fake IRS returns being filed in these people's names. And of course, the more money you make, the higher of a uh a priority a cyber criminal is gonna place on you as a target. So going off of that, what are some of the best practices that you would recommend the individual, the principal, the family office, uh anyone really take to maybe lessen some of these risks for them?

SPEAKER_01 15:33

Yeah, absolutely. And even what you just outlined, Dan, as a kind of a quick recap, it's like these threats are coming at us from every angle, right? So it's so hard for somebody to even um it's really about staying vigilant, you know. And luckily Black Cloak can take a lot of this off of our claim with a lot of our passive protections, but there's a number of proactive things an individual can do, one of them being an IRS PIN number. You can obtain an IRS pin number, and that's something we would help our clients with. Um, it's a new pin number, a unique number every year that you file your taxes, and you have to have this pin number to validate, you know, you are who you say you are. Another thing that we talk to everybody about is the importance of considering freezing your credit with Xperian, TransUnion, and Equifax. I think there's um a misconception here that a credit freeze is really difficult to put in place, or it's difficult to lift a freeze when you need to use credit, which is not the case. Um, with a credit freeze, you would go to Experian, TransUnion, and Equifax. It would take a few minutes to visit each website. You have to create a login, um maybe answer a few validating questions, and then you can put a freeze on your account. What this does is it prevents anybody from getting a hold of your social security number and your date of birth and opening up a new line of credit using your information. You would still use your existing lines of credit like normal. It's just that when you were to, you know, perhaps finance a car or purchase a new home, you would need to lift a freeze temporarily. And that's something Black Cloak can help you with. And then you can even lift it temporarily, and then after so long, the freeze is automatically put back in place. So I always tell people that's like the number one thing you can do to prevent identity theft from happening. Just put a credit freeze in place and you should be okay. Another thing you can do is keep document sharing to a minimum. And also really important to verify all links are safe. Um, you can do the same thing with an email. You can like check the the header to see, you know, the full email description domain of somebody sending you an email, just to be extra vigilant.

SPEAKER_00 17:39

Yeah, those are good proactive steps. Uh, I really think that that IRS pin is a um kind of a must-have. The credit freeze is a great one because I I do think you're right that there is a misconception with a lot of people, even just about the difficulty of it overall. I think it's like a huge undertaking and it it sounds uh, you know, big and scary a little bit, right? But it's not. It's it's fairly simple. And uh again, you know, at Black Cloak, like that's that's one thing we pride ourselves on with our concierge team is like we try to make things as simple as possible for people. So even through the app, they can they can go initiate those credit freezes very easily through the app. We give them all the links, uh give them the access to that, as well as the IRS pin. So there's kind of your one-stop shop, right, in a lot of ways. And so it goes back to that convenience factor of a lot of people wanting to not go through all of these uh the steps to to get that security. This is a way where it's like, hey, this is actually a minor inconvenience uh once you get educated on it, and we can lift even some of that minor inconvenience and put it on ourselves.

SPEAKER_01 18:44

Absolutely. And if I may, Dan, um I just wanted to maybe though the number one question I get asked from our prospective clients when I'm meeting with them is they want to understand how Black Cloak is different from the consumer grade credit monitoring tool. They alert you when there's a change to your credit file, your credit report. Black cloak is unique because we're really combining, as you mentioned, we're the one-stop shop. We're combining a lot of different tools and technologies and bundling them together. We do offer credit monitoring, but we do so much more than that. We're doing things preventatively to prevent identity theft and fraud from even happening in the first place. And then, heaven forbid, should something happen, the incident response and remediation is included in that. So it's really um a matter of education, you know, building the castle walls high and having that trusted team of experts that you can leverage whenever you you need something.

SPEAKER_00 19:36

Yeah, that's great. And and I'll even add on to that that comes with a million-dollar identity theft insurance as well. So there's a little bit uh extra, you know, peace of mind with that. Carrie Terry, thank you so much. This has been uh a really enlightening discussion. It's an important time of year to have this one. So really appreciate your time coming on to discuss this today.

SPEAKER_01 19:55

Yeah, thanks for having me, Dan.

SPEAKER_00 19:57

Absolutely. And if you are interested in looking over a lot of what was discussed here today with Carrie, you can head over to tax hyphen season hyphen scams.blackcloak.io. There we have a full interactive guide for you to go through some of those common tax risks and some of those ways that you can mitigate that risk during this time of year. You can listen to all episodes of uncloaked at blackcloak.io slash podcasts or on your platform of choice. And if you're interested in becoming a member or want to learn more about how to protect your digital life, visit us at blackcloak.io. Thank you for tuning in, and we'll see you next time on Uncloaked.