With tax fraud on the rise, it is important to be aware of the fraudulent activities that can take place this tax season and what you can do to minimize your risk of becoming a victim of identity theft. In actuality, tax fraud is relatively easy to commit. All that is required for a scam to take place is a name, date of birth and Social Security number, and with the number of data breaches that have taken place recently, your personal information could be vulnerable to cybercriminals and identity thieves. According to LifeLock’s marketing intelligence director, Nada Baiz, “tax fraud will continue to develop because criminals are realizing how lucrative and easy it is.” She also adds, “With chip-enabled debit and credit cards now making credit card fraud more difficult to commit, criminals will look to replace this lost ‘income’ with something else.”

With Tax Identity Theft Awareness week (Jan 29 – Feb 2) approaching, it is important to spread the word about how to prevent becoming a victim to scams this tax season.

To help reduce your chances of identity theft this tax season, here are six best practices to follow:

File taxes early

Identity thieves are ready as early as January to file fraudulent returns, so it is important to have all of your paperwork in order before they do in order to protect yourself. This is even more crucial if you have reason to believe your personal information has already been compromised, such as in an earlier data breach. However, you don’t have to be a victim of a previous identity theft crime to become a victim of tax refund fraud.

Don’t fall for scams

If someone calls or emails claiming to be from the Internal Revenue Service (IRS) asking for personal information, don’t give it. The IRS will only request information by mail, so if you receive a call, email or text message claiming to be from the IRS and asking you to provide personal details, don’t – it is most likely a scam.

Research your tax preparer

Be very careful about choosing a tax preparer. Only hire individuals who have the proper IRS credentials, then request their full name and tax certification documentation. Be sure to keep copies of it with your tax paperwork even after filing. Even if you’re using an e-filing service, researching the provider is just as important.

Protect your Social Security number

Leave your Social Security card at home and only give out the number when absolutely required. If you are requested to provide it on a form, ask the company why they need it and if it is necessary, because this is often optional.

sign up for protection services

Signing up with a service that specializes in identity theft protection could help you to stay on top of keeping your personal information safe by receiving alerts immediately if any fraudulent activity occurs.

Shred your personal records

Destroy old tax forms, monthly financial statements and other documents that include your personal information once deemed unnecessary. Switching to online delivery is another safe bet so your documents are less likely to end up in places where they can be stolen, like your mailbox or recycling bin.

If you do choose online delivery, make sure that any personal accounts storing this information are appropriately secured.

Lock Down Your Login: Your usernames and passwords are not enough to protect key accounts like email, banking and social media. Strengthen online accounts and use strong authentication tools – like biometrics, security keys or a unique, one-time code through an app on your mobile device – whenever offered.

Scammers sometimes pretend to be government officials to get you to send them money. They might promise lottery winnings if you pay “taxes” or other fees, or they might threaten you with arrest or a lawsuit if you don’t pay a supposed debt. Regardless of their tactics, their goal is the same: to get you to send them money. Don’t do it. Federal government agencies and federal employees don’t ask people to send money for prizes or unpaid loans. Nor are they permitted to ask you to wire money or add money to a prepaid debit card to pay for anything.

How to Recognize a Government Impostor

It could be hard to recognize an impostor through the lies they tell. They use a variety of tricks to get your attention, whether it’s distracting you with a story about money you won or creating a fear that you’ll be sued or arrested.

Here are two deceptions that they have used successfully to steal money from people:

You’ve "Won" a Lottery or Sweepstakes

Someone claiming to be a government official calls, telling you that you’ve won a federally supervised lottery or sweepstakes. They may say they’re from “the national consumer protection agency,” the non-existent National Sweepstakes Bureau, or even the very real Federal Trade Commission — and it looks like they’re calling from a legitimate number. They also might send e-mails, text messages or letters.

They might:

• tell you you’ll have to pay taxes or service charges before you can collect your winnings
• ask you to send money to an agent of “Lloyd’s of London” or some other well-known insurance company to “insure” delivery of your prize
• ask you to wire money right away, often to a foreign country

The truth is that no government agency or insurance company is involved, and there are no winnings. There never were. Scammers take the money you paid them and disappear.

You Owe a Fake Debt

You might get a call or an official-looking letter that has your correct name, address and Social Security number. Often, fake debt collectors say they’re with a law firm or a government agency — for example, the FTC, the IRS or a sheriff’s office. Then, they threaten to arrest you or take you to court if you don’t pay on a debt you supposedly owe.

The truth: there’s no legitimate reason for someone to ask you to wire money or load a rechargeable money card as a way to pay back a debt. If you’re unsure whether the threat is legitimate, look up the official number for the government agency, office or employee (yes, even judges) and call to get the real story. Even if it is a real debt, you have rights under the Fair Debt Collection Practices Act.

Variations on these scams include people claiming to be with the IRS collecting back taxes, or scammers posing as representatives of the United States Citizenship and Immigration Service (USCIS) who target immigration applicants and petitioners.

Five Ways to Beat a Government Impostor Scam

Don’t wire money

Scammers often pressure people into wiring money, or strongly suggest that people put money on a prepaid debit card and send it to them. Why? It’s like sending cash: once it’s gone, you can’t trace it or get it back. Never deposit a “winnings” check and wire money back, either. The check is a fake, no matter how good it looks, and you will owe the bank any money you withdraw. And don’t share your account information, or send a check or money order using an overnight delivery or courier service. Con artists recommend these services so they can get your money before you realize you’ve been cheated.

Don’t pay for a prize

If you enter and win a legitimate sweepstakes, you don’t have to pay insurance, taxes, or shipping charges to collect your prize. If you have to pay, it’s not a prize. And companies, including Lloyd’s of London, don’t insure delivery of sweepstakes winnings.

If you didn’t enter a sweepstakes or lottery, then you can’t have won. Remember that it’s illegal to play a foreign lottery through the mail or over the phone.

Don’t give the caller your financial or other personal information

Never give out or confirm financial or other sensitive information, including your bank account, credit card, or Social Security number, unless you know who you're dealing with. Scam artists, like fake debt collectors, can use your information to commit identity theft — charging your existing credit cards, opening new credit card, checking, or savings accounts, writing fraudulent checks, or taking out loans in your name. If you get a call about a debt that may be legitimate — but you think the collector may not be — contact the company you owe money to about the calls.

Don’t trust a name or number

Con artists use official-sounding names to make you trust them. It’s illegal for any promoter to lie about an affiliation with — or an endorsement by — a government agency or any other well-known organization. No matter how convincing their story — or their stationery — they're lying. No legitimate government official will ask you to send money to collect a prize.

To make their call seem legitimate, scammers also use internet technology to disguise their area code. So even though it may look like they’re calling from Washington, DC, they could be calling from anywhere in the world.

Put your number on the National Do Not Call Registry

Ok, so this won’t stop scammers from calling. But it should make you skeptical of calls you get from out of the blue. Most legitimate sales people generally honor the Do Not Call list. Scammers ignore it. Putting your number on the list helps to “screen” your calls for legitimacy and reduce the number of legitimate telemarketing calls you get. Register your phone number at donotcall.gov.

Report the Scam

If you get a call from a government imposter, file a complaint at ftc.gov/complaint. Be sure to include:

• date and time of the call
• name of the government agency the imposter used
• what they tell you, including the amount of money and the payment method they ask for
• phone number of the caller; although scammers may use technology to create a fake number or spoof a real one, law enforcement agents may be able to track that number to identify the caller
• any other details from the call

Regardless of an organization’s security posture, there is no perfect security. On the other hand, there is no excuse not to implement fundamental security best practices. All organizations, regardless of size, must plan for inevitable attacks and loss of (or loss of access to) critical data. By recognizing risks, planning ahead and instilling a culture of security and privacy in the entire organization, losses and their impact can be minimized. As in previous years, OTA analyzed reported breaches through Q3 2017 and found that 93% were avoidable, which is consistent with previous years’ findings. Of the reported breaches, 52% were the result of actual hacks, while 11% were due to lack of internal controls resulting in employees’ accidental or malicious events. Regular patching and paying close attention to vulnerability reports has always been a best practice and neglecting them is a known cause of most breaches,24 but this category received special attention this year in light of the Equifax breach.

The vast majority of other types of attacks – ransomware and BEC – are initiated by deceptive or malicious emails. Analysis reveals that these too are avoidable, by blocking fake messages and training users to recognize spearphishing attacks. In addition to better processing of email, there are several other steps that can prevent or limit the impact of ransomware, which include updated system and security software as well as regular data backups.25 Since BEC attacks rely almost entirely on “social engineering” deception and rarely include any malicious links or attachments, better processing of email can generally stop these attacks in their tracks. Unfortunately, the day-to-day urgency of business often prevents organizations from appropriately defending against these emailbased attacks.

Key avoidable causes for incidents:

• Lack of a complete risk assessment, including internal, third-party and cloud-based systems and services • Not promptly patching known / public vulnerabilities, and not having a way to process vulnerability reports • Misconfigured devices / servers • Unencrypted data and/or poor encryption key management and safeguarding • Use of end of life (and thereby unsupported) devices, operating systems and applications • Employee errors and accidental disclosures - lost data, files, drives, devices, computers, improper disposal • Failure to block malicious email • Users succumbing to Business Email Compromise & social exploits

Coincheck, a Tokyo-based cryptocurrency exchange, has suffered what appears to be the biggest hack in the history of cryptocurrencies, losing $532 million in digital assets (nearly $420 million in NEM tokens and $112 in Ripples). Apparently, the cryptocurrency markets reacted negatively to the news, which resulted in 5% drop in Bitcoin price early this morning.

In a blog post published today, the Tokyo-based cryptocurrency exchange confirmed the cyber heist without explaining how the tokens were stolen, and abruptly froze most of its services, including deposits, withdrawals and trade of almost all cryptocurrencies, except Bitcoin.

Coincheck also said the exchange had even stopped deposits into NEM cryptocurrencies, which resulted in 16.5% drop in NEM coin value, as well as other deposit methods including credit cards.

During a late-night press conference at the Tokyo Stock Exchange, Coincheck Inc. co-founder Yusuke Otsuka also said that over 500 million NEM tokens (then worth around $420 million) were taken from Coincheck's digital wallets on Friday, but the company didn’t know how the tokens went missing, according to new source Asahi.

The digital-token exchange has already reported the incident to the law enforcement authorities and to Japan's Financial Services Agency to investigate the cause of the missing tokens.

"We will report on the damage situation and cause of the case, measures to prevent recurrence, but first we would like you to take every possible measure to protect our customers," said Executives of the Financial Services Agency (translated).

This incident marks yet another embarrassing hack in the world of digital currency technology, once again reminding us that the volatility in cryptocurrency prices is not going away anytime soon.

Security experts at Checkmarx discovered two security vulnerabilities in the Tinder Android and iOS dating applications that could be exploited by an attacker on the same wi-fi network as a target to spy on users and modify their content. Attackers can view a target user’s Tinder profile, see the profile images they view and determine the actions they take.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising orother type of malicious content (as demonstrated in the research).” reads the analysis published by Checkmarx.

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

An attacker can conduct many other malicious activities, including intercepting traffic and launching DNS poisoning attacks.

The first issue is related to the fact that both the iOS and Android Tinder apps download profile pictures via insecure HTTP connections, this means that an attacker can access the traffic to determine which profiles are viewed by a Tinder user.

“Attackers can easily discover what device is viewing which profiles,” continues the analysis. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.” “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,”

Obviously, such kind of issue could be mitigated with the adoption of HTTPS.

Checkmarx also discovered another issue related to the use of HTTPS, the flaw was called “Predictable HTTPS Response Size”.

“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take.” states Checkmarx. “This is done by checking the API server’s encrypted response payload size to determine the action,” 

An attacker that is in the position of analyzing the traffic can discover the user’s interest in a specific profile by detecting a 278-byte encrypted response that is delivered by the API server when he swipes left on a profile picture. Swiping right, the Tinder user likes a particular profile, in this case, the response generated is composed of 374 bytes.

The researchers also noticed that Tinder member pictures are downloaded to the app via HTTP connection, this makes possible for an attacker to view the profile images of those users being swiped left and right.

In order to mitigate this issue, researchers suggest padding requests, if the responses were padded to a fixed size, it would be impossible to discriminate the user’s action.

Checkmarx disclosed both vulnerabilities to Tinder.