A recent epidemic of taxpayers buying Apple iTunes gift cards to pay IRS impersonators boils down to the psychology of fear and widespread ignorance about scams, according to leading fraud experts who said that educating the public is the only clear solution.
The National Consumers League Inc. saw an uptick in fraud complaints involving iTunes gift cards as payment earlier in 2016, with a significant increase in the spring, said John Breyault, the league's vice president for public policy, telecommunications, and fraud. He added that iTunes gift cards are used in many types of scams other than IRS impersonation.
A federal law enforcement official knowledgeable about the issue said that 70 to 90 percent of IRS scam payments have migrated to iTunes gift cards. "As crazy as that sounds, [scammers are] doing it at a very high and successful rate," said the official, speaking on condition of anonymity.
Those figures reinforce a basic question: How are people convinced that they should purchase one or more iTunes gift cards worth hundreds of dollars each to pay a tax debt? The idea that a government agent would demand gift card redemption codes for payment defies logic.
The key to understanding iTunes gift card fraud, the experts said, is how one person psychologically manipulates another, an information security subfield called social engineering. No technology will ever defeat social engineering, said Frank Abagnale, a former confidence trickster and check forger who inspired the movie Catch Me If You Can.
The experts agreed that fear drives victims' irrational behavior. Christopher Hadnagy, founder of security consultancy Social-Engineer LLC, said the scammers are "amygdala hijacking," a term coined by psychologist Daniel Goleman to describe how strong emotions such as fear and anger briefly shut down the logic centers of the brain.
And few things are scarier than an IRS agent telling someone that he owes thousands of dollars in taxes and will lose his house or car, or be arrested or deported if he does not pay immediately, said Allan Bachman, education manager at the Association of Certified Fraud Examiners Inc.
Thinking in a Deceptive Way
Abagnale, who now does financial fraud consulting through Abagnale & Associates, said that victims' possible stupidity is not the issue, but rather their ignorance of how scams work and what they look like -- and the answer is education. A "majority of people in America are honest," he said, and thus "do not think in a deceptive way."
The IRS has long warned that it initiates contact with taxpayers only by paper mail, so an unexpected phone call from someone claiming to be with the IRS should be ignored. However, some local IRS campuses were until recently initiating contact by phone to try to set up audits and resolve other tax issues. The IRS ended that practice following tax professionals' complaints at a May 5 Taxpayer Advocate Service public forum in Red Oak, Iowa, as first reported by Tax Analysts.
Abagnale said that as part of his work for AARP, he tells the group's members that the IRS will never call them unexpectedly or tell them to use payment cards such as gift cards. The IRS does accept payment via credit and debit cards, but says on its website that it will never demand a specific type of payment.
The scammers are good at what they do and technically savvy, able to make targets believe they are actually from the government, causing them to become emotional and thus vulnerable, said Breyault, who runs the National Consumers League's Fraud.org project.
Malicious actors surveil potential targets, documenting when individuals click on dubious links or respond to other scams, Breyault said, noting that scammers target individuals who are not necessarily technologically literate and may be unfamiliar with iTunes. Bachman described lists of vulnerable older people with track records of being duped, available for sale online. Abagnale said that scammers document whether people answer their calls, how long they stay on a call, and whether they follow menu prompts (such as "dial 1 to speak with an agent").
People should not answer a call that seems suspicious, or should hang up as quickly as possible, Abagnale advised, adding that a scammer is unlikely to call back.
Despite evidence that scammers are seeking easy marks, the experts resisted the stereotype of the gullible fraud victim. Hadnagy said that assuming oneself to be superior or invulnerable plays into fraudsters' hands. Abagnale said that he has met "very smart people" through his work for AARP who have fallen for scams.
Abagnale also recounted a phone call he received from a personal friend who was the chief financial officer of a sizable company in California, asking if an IRS scam call was legitimate. In theory, the friend should have known better, but he had previously been living in London where he ran into an issue with the IRS, so he was worried that the scam call was related.
Hadnagy said that while rushing to prepare for an industry conference, he clicked on a phishing email and started typing his user credentials into a fake Amazon.com page before noticing its Russian URL -- even though he had just published a book about phishing and in the previous year sent 3.5 million fake phishing emails to help train business clients' employees. It was the right emotional trigger at the right time, and it could happen to anyone, Hadnagy said.
Anatomy of a Hijacking
Warnings from the IRS, Treasury Inspector General for Tax Administration, and Federal Trade Commission, and cases described by the experts as well as in the Better Business Bureau's Scam Tracker database (http://goo.gl/HPzTU9), provide a detailed account of how a victim is persuaded to purportedly pay the government using iTunes gift cards.
The target may receive a robocall or text message saying that he owes taxes and must call the IRS at a specific number, which may have Washington's 202 area code. Or he may receive a phone call from a live person spoofing his caller ID to say something like "Internal Revenue Service," often from a 202 area code.
The IRS, FTC, and other observers warn that the scammers are mostly foreign. Voice over Internet protocol systems allow someone located in another country to use a phone number with a U.S. area code. Automated robocalling and text messaging systems allow scammers to dial huge quantities of phone numbers.
Once the target is speaking to a live person, the scammer may state the target's name, date of birth, and even Social Security number. Information security observers estimate that two-thirds of SSNs are available for sale on the dark web. Other IRS impersonation tactics include providing a fake "badge number." The target may hear references to or even speak with multiple fake persons, sometimes portrayed by one individual.
Early into the call, the scammer will try to elicit a fear response, telling the target that he owes thousands of dollars in taxes and needs to pay immediately. The scammer is often aggressive and may threaten to have the target arrested or deported, or his property seized. Threats that a law enforcement officer is en route to arrest the target are common.
The scammer tells the target that the best or simplest way to pay the tax debt is with iTunes gift cards, which the scammer may call something else, such as Apple Pay, the company's mobile payment and digital wallet service.
A scammer often forces the target to stay on the call to ensure he is doing what he is told. The target is instructed to travel to a retailer such as a drugstore and purchase iTunes gift cards to cover the total amount of tax owed, generally more than one card, since each has a limited maximum value. Breyault said that retailers impose limits on card purchases, so victims may be told to visit more than one. The target may be told not to discuss the call or mention the IRS to store employees.
Once the cards are purchased, the target is supposed to give the scammer the redemption codes on the back of the cards. The scammer then quickly transfers the card balances to an iTunes account.
What happens next is unclear, but it appears that the iTunes account credentials are being sold on the dark web for less than their face value to apparently foreign buyers, Breyault said. Scammers would want to launder the money as quickly as possible in case an iTunes account is tracked, Bachman said, adding that selling stolen assets for cents on the dollar is a classic tactic.
Public Awareness and Personal Responsibility
The proliferation of information security threats means that being hacked "is not an 'if' anymore, it's a 'when,'" Hadnagy said. Without being paranoid, consumers must accept that they are likely to be compromised and plan accordingly, he said, because their data were likely included in the breach of a third party such as a healthcare provider or retailer. Such stolen personal information could be used to make scams more convincing.
The experts said that private individuals must be educated, but admitted that doing so is difficult. Public awareness of current scams is insufficient. Hadnagy said that scammers have had to repeatedly change the payment methods they used -- from Western Union Co. transfers, to MoneyGram International Inc. prepaid cards, to gift cards -- as public awareness grew. Eventually, they will move on from iTunes gift cards, he said.
The criminals are also at a statistical advantage. Abagnale and Bachman concurred that to profit, scammers need only capitalize on a small percentage of the people they contact.
The government must do a better job educating people about scams, Abagnale said, calling for public awareness campaigns and a greater sense of urgency about its own security holes. Hadnagy said that he tries to get the message out through news media, but even that is not ideal because people come away from reading articles about fraud thinking they are not vulnerable.
Both social engineering experts concluded that people can rely only on themselves and are ultimately responsible for keeping their identities and money secure. And because fraud is increasing, people need to be a bit smarter today, Abagnale added.
Abagnale said the same scams he saw 50 years ago are still happening; those messages are just being delivered over new channels. The classic, well-dressed, smooth-talking con man no longer exists, he said, because the conning no longer happens in person.
William Hoffman contributed to this article.
Follow Luca Gattoni-Celli (@TheGattoniCelli) on Twitter for real-time updates.