It’s National Tax Security Awareness Week and the Oregon Department of Revenue and the IRS are reminding taxpayers to be on the lookout for money scams and identity theft.
Phishing scams
As the holiday season approaches, taxpayers need to watch out for phishing scams in the deluge of holiday email messages coming from retailers and others. According to the IRS, more than 90 percent of all data thefts begin with an email phishing scam.
Here’s what you need to know to protect yourself from phishing scams:
First, the most common way thieves steal identities is simply by asking for it. Their favorite tactic is a phishing email. Phishing emails “bait” users into opening them. They pose as a trusted company such as a bank, a favorite retailer, or even a tax professional.
Second, learn to recognize and avoid these phishing emails. The scams tell an urgent story—like there’s a problem with your account or your order. The message then instructs the receiver to open an embedded link or download an attachment.
Third, don’t take the bait. The email link may send users to a familiar website to log in, but the username and password goes to the thieves. Or, the scam suggests users open an attachment, which secretly downloads malicious software. Either method works for identity thieves.
These scam emails can show up in personal inboxes or even a work inbox, endangering the entire organization. Mobile phone users are especially prone to responding more than those working on a laptop or desktop computer. If at home, just delete the email. If at work, follow your organization’s guidance on handling the email.
Identity theft
With millions of people logging in to websites and online accounts this holiday season, Revenue and the IRS remind taxpayers that common mistakes can increase their risk of having sensitive financial and tax data stolen by identity thieves.
Using strong passwords and keeping them secure are critical steps to preventing thieves from stealing identities, money, or other information to file a fraudulent tax return.
In recent years, cybersecurity experts’ recommendations on what constitutes a strong password have changed. They now suggest people use word phrases that are easy to remember rather than random letters, characters, and numbers that can’t be easily recalled.
For example, experts previously suggested something like “PXro#)30” but now suggest a longer phrase, such as “SomethingYouCanRemember@30.” By using a phrase, users don’t have to write down their password and expose it to additional risk. Also, people may be more willing to use strong, longer passwords if it’s a phrase, rather than random characters that are harder to remember.
Protecting access to digital devices is so critical that some now feature fingerprint or facial recognition technology, but passwords remain common for many people.
Given the sensitivity of many of these online accounts, people should consider these password tips to protect devices or online accounts:
Use a minimum of eight characters; longer is better.
Use a combination of letters, numbers, and symbols in password phrases, i.e., UsePasswordPhrase@30.
Avoid personal information or common passwords; use phrases instead.
Change default or temporary passwords that come with accounts or devices.
Don’t reuse or update passwords. For example, changing Bgood!17 to Bgood!18 is not good enough; use unique usernames and passwords for accounts and devices.
Don’t use email addresses as usernames if that is an option.
Store any password list in a secure location, such as a safe or locked file cabinet.
Don’t disclose passwords to anyone for any reason.
When available, a password manager program can help track passwords for numerous accounts.
Whenever it’s an option for a password-protected account, users also should opt for a multi-factor authentication process. Many email providers, financial institutions, and social media sites now offer customers two-factor authentication protections.
Two-factor authentication helps by adding an extra layer of protection. Often this means the user must enter their credentials (username and password) plus another step, such as entering a security code sent via text to a mobile phone. Another example is confirming “yes” to a text to the phone that users are accessing the account on.
The idea behind multi-factor authentication is that a thief may be able to steal usernames and passwords, but it’s highly unlikely they also would have access to the mobile phone to receive a security code or confirmation to complete the log-in process.