How IRS phishing and vishing scam for stimulus check payment got busted

Daily the US Treasury Department and the Small Business Administration must send thousands of dollars in stimuli and loans for small and medium businesses, so the automation of this process has become a priority. However, computer forensics experts believe that this modernization exposes both government agencies and entrepreneurs to all kinds of cyber attacks.

The Coronavirus Aid, Relief and Economic Security Act (CARES) establishes some guidelines to mitigate the economic impact that the pandemic has generated on some individuals and small businesses, contemplating a payment of up to $ 1,200 per taxpayer, in addition to an additional $ 500 for each child. Taxpayers will receive this payment automatically through an electronic transfer system used to pay Social Security benefits and other public assistance programs.

The problem, as computer forensics experts mentioned, is that millions of citizens will not be able to request payment this way, so they will have to find another way to obtain the money. To speed up the process, the IRS introduced an online platform that allows those who did not file taxes to request this payment digitally, to receive the deposit of funds directly to their bank account or through a service such as PayPal.

However, any of these methods lacks additional protections against identity theft and fraud. To qualify for a payment, the IRS tool asks people to present proof of identity in the form of their name, date of birth, Social Security number, mailing address, email address, and bank account, type and numbers of route. Other identifiers, such as a driver’s license, are also accepted. Even before the enactment of CARES, the Federal Trade Commission (FTC) warned of the likelihood that threat actors will attempt to impersonate official organizations to obtain credentials and successfully intercept aid funds.

The use of valid authentication data on these platforms (social security numbers, among others) is considered by computer forensics specialists to contribute to exposing individuals and private organizations to various cybersecurity risks, such as phishing. Furthermore, they consider that the risks of relying on this kind of information to authenticate the identity of users are very similar to the risks related to traditional tax fraud, especially in an environment where the government seeks to transfer funds more efficiently.

The International Institute of Cyber Security (IICS) considers that the ISR, and any agency related to the collection of money, should reserve resources for the implementation of monitoring and fraud detection systems to prevent this kind of activity.