If you’re awaiting a federal stimulus payment and you haven’t filed tax returns, beware: Hackers have set their sights — and sites — on your $1,200 check.
Scammers have set up more than 180,000 coronavirus-themed websites in an attempt to steal data or misinform consumers, according to data from Checkphish by Bolster.
The security firm has spotted more than 149,000 suspicious domain registrations with the term “stimulus check” in them.
Last week, the IRS began distributing its economic impact payments to households all over the country. Individuals are eligible for up to $1,200, while those who are married and file jointly can get up to $2,400.
Households are also eligible for $500 per child under age 17.
The IRS determines what you get based on the adjusted gross income reported on your 2018 or 2019 tax return. Single filers with an AGI between $75,000 and $99,000 ($150,000 and $198,000 if you’re married and filing jointly) get smaller payments.
Non-filers – people who don’t submit tax returns because they don’t earn enough money to be required to do so – are also eligible for stimulus checks. They must enter their personal data into a website hosted by the IRS to have the money direct deposited into a bank account.
Therein lies a massive security problem, data security experts said.
“The IRS is asking consumers for their mailing addresses, email addresses – it’s all appropriate information,” said Rivka Little, senior vice president of marketing and strategy at Socure.
“But all of those points of data are out there; they’re already breached and attainable,” she said.
In 2019, there were 7,098 data breaches, exposing more than 15.1 billion records, according to data from Risk Based Security.
In some cases, individuals themselves offer their own data on a silver platter via social media. This is why you shouldn’t share your birthday, full name, email address and other details.
Armed with this data, scammers could try grabbing non-filers’ stimulus payments and routing the cash elsewhere.
“Now, it’s fraudsters entering consumers’ information in order to divert the money,” Little said. “It’s important for financial institutions to watch for a rise in new bank accounts.
“Are you looking at the activity that happens after this new account is established?”
Rip-off artists are also impersonating the IRS and sending phishing emails to extract taxpayers’ bank account data, said Avi Shua, co-founder of Orca Security.
“One easy way for scammers to take advantage of the ‘Get My Payment’ app is to create copies of the login page,” said Abhishek Dubey, CEO of Bolster.
Taxpayers wind up inputting their own data into the fake page, which scammers then use to try beating the victim to the check, he said.
“Even if it looks legit, if you want to search for the ‘Get My Payment’ site, go there directly – don’t just click on a link within an email,” Shua said.
As a reminder, the IRS will not call, email, text or leave threatening voicemails about the stimulus payments – but scammers impersonating the tax agency will.
“The IRS reminds taxpayers that the new tools on IRS.gov – Get My Payment and the Non-Filer – are safe and secure to use,” said IRS spokesman Dean Patterson in an email.
“Taxpayers are urged to go directly and solely to IRS.gov to use these tools and official information to avoid scams directing people to other websites,” he wrote.