Image of tax documents and a cup of coffeeDuring the tax season, the scammers are hard at work trying to trick people into giving away their information. The same information they would use to steal their victim’s identity and cash on their tax returns.

According to the IRS, some of the signs of identity theft are:

  • You get a letter from the IRS inquiring about a suspicious tax return that you did not file.
  • You cannot e-file your tax return because of a duplicate Social Security number.
  • You get a tax transcript in the mail that you did not request.
  • You get an IRS notice that an online account has been created in your name.
  • You get an IRS notice that your existing online account has been accessed or disabled when you took no action.
  • You get an IRS notice that you owe additional tax or refund offset or that you have had collection actions taken against you for a year you did not file a tax return.
  • IRS records indicate you received wages or other income from an employer you did not work for.
  • You have been assigned an Employer Identification Number, but you did not request an EIN.


Identity Theft in the news:

According to an article published by CNBC, consumers lost $56 billion to identity fraud in 2020.

March 16 – 2022 Fresno Man Charged in Schemes to Defraud and Identity Theft

How can someone steal an identity?

Usually, the attacks are associated with Social Engineering. The most common form of social engineering is Phishing.

Another well-known form of social engineering is Open Source Intelligence Gathering (OSINT).

With Open Source Intelligence Gathering, scammers perform advanced searches online to obtain and aggregate as much publicly available information as possible using search engines, social media platforms and online forums.

Sometimes the information shared on social media can be used to guess passwords or security questions (those fun online quizzes: “Who was your first teacher” “Do you remember your first pet?”)


Chapman University empowers its community to stay safe online          

To help protect staff, faculty, students, and Chapman University data, the Information Security Office partnered with the Office of Human Resources to create an Online Training and Awareness program.

The Online Training and Awareness program consists of:

  • Quarterly newsletters
  • Blogposts and articles published through the Working at Chapman website
  • Simulated phish emails that emulate the real email attacks forwarded to

MFA and your password: 

Multi-Factor Authentication is an additional security layer for your online account.

Multi-Factor Authentication is an excellent addition to our toolbox in the war against cybercrime.

A new attack is being observed in the wild. The attack is aiming to bypass MFA or trick the users into approving an illegitimate authentication request.

It is dubbed “MFA Fatigue Attack” or “Push Notification Spamming.”

The spammers get a hold of someone’s password and make continuous log in attempts (most often, they use a script) until the user hits the “Approve” button either by accident or because they think it is a legitimate request.

Tips to prevent the MFA Fatigue Attack:

  • Change your password immediately. The attackers need to know your password first to get to the MFA prompt.
  • When approving an authentication request, make sure the location is correct.
  • When in doubt, just click Deny.
  • If you are not in front of the computer actively trying to log in, do not approve.

Prompt to approve signin - Multi Factor Authentication


Both the IRS and the FTC are providing resources to help you stay safe online:

FTC Identity Theft Awareness

IRS Avoid Phishing Emails – video

To keep track of the latest phishing emails we receive, please visit

Stay safe!