IRS warns of Phishing Attacks this (and every) Tax Season

The IRS warns us every year, that Tax Season brings an increase in the number of phishing attacks targeting the unwary, pretending to be from the Internal Revenue Service. This year is no different and here is the advice offered by the IRS this year:

R-2017-15, Feb. 1, 2017

WASHINGTON — The Internal Revenue Service today warned taxpayers to watch out for fake emails or websites looking to steal personal information. These “phishing” schemes continue to be on the annual IRS list of “Dirty Dozen” tax scams for the 2017 filing season.

The IRS saw a big spike in phishing and malware incidents during the 2016 tax season. New and evolving phishing schemes have already been seen this month as scam artists work to confuse taxpayers during filing season. The IRS has already seen email schemes in recent weeks targeting tax professionals, payroll professionals, human resources personnel, schools as well as average taxpayers.

In these email schemes, criminals pose as a person or organization the taxpayer trusts or recognizes. They may hack an email account and send mass emails under another person’s name.  They may pose as a bank, credit card company, tax software provider or government agency. Criminals go to great lengths to create websites that appear legitimate but contain phony log-in pages. These criminals hope victims will take the bait and provide money, passwords, Social Security numbers and other information that can lead to identity theft.

“These email schemes continue to evolve and can fool even the most cautious person. Email messages can look like they come from the IRS or others in the tax community,” said IRS Commissioner John Koskinen. “Taxpayers should avoid opening surprise emails or clicking on web links claiming to be from the IRS. Don’t be fooled by unexpected emails about big refunds, tax bills or requesting personal information. That’s not how the IRS communicates with taxpayers.”

Scam emails and websites also can infect a taxpayer’s computer with malware without the user knowing it. The malware can give the criminal access to the device, enabling them to access all sensitive files or track keyboard strokes, exposing login information.

Compiled annually, the “Dirty Dozen” lists a variety of common scams that taxpayers may encounter anytime but many of these schemes peak during filing season as people prepare their returns or find people to help with their taxes.

For those perpetrating these schemes, the scams can lead to significant penalties and interest and possible criminal prosecution. IRS Criminal Investigation works closely with the Department of Justice (DOJ) to shutdown scams and prosecute the criminals behind them.

The IRS has teamed up with state revenue departments and the tax industry to make sure taxpayers understand the dangers to their personal and financial data as part of the “Taxes. Security. Together” campaign.

Criminals increasingly are targeting tax professionals, deploying various types of phishing emails in an attempt to access client data. The IRS, state tax agencies and the tax industry also launched a public awareness campaign called Protect Your Client; Protect Yourself to warn tax professionals, offer tips and compile alerts.

If a taxpayer receives an unsolicited email that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS), report it by sending it to [email protected].  Learn more by going to the Report Phishing and Online Scams page.

Tax professionals who receive unsolicited and suspicious emails that appear to be from the IRS or related to the e-Services program also should report it by sending it to [email protected].

It is important to keep in mind the IRS generally does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels. The IRS has information online that can help protect taxpayers from email scams.

Each and every taxpayer has a set of fundamental rights they should be aware of when dealing with the IRS. These are your Taxpayer Bill of Rights. Explore these rights and the agency’s obligations to protect them on IRS.gov.

Related Items

Sophos warns about the latest real-world threat relating to Tax Season:

You may have heard of the CEO scam: that’s where spear-phishers impersonate a CEO to hit up a company for sensitive information.

That’s what happened to Snapchat, when an email came in to its payroll department, masked as an email from CEO Evan Spiegel and asking for employee payroll information.

Snapchat’s payroll department fell for it. Ouch.

Here’s a turn of that same type of screw: the Internal Revenue Service (IRS) last week sent out an urgent warning about a new tax season scam that wraps the CEO fraud in with a W-2 scam, then adds a dollop of wire fraud on top.

A W-2 is a US federal tax form, issued by employers, that has a wealth of personal financial information, including taxpayer ID and how much an employee was paid in a year.

This new and nasty dual-phishing scam has moved beyond the corporate world to target nonprofits such as school districts, healthcare organizations, chain restaurants, temporary staffing agencies and tribal organizations.

As with earlier CEO spoofing scams, the crooks are doctoring emails to make the messages look like they’re coming from an organization’s executive. Sending the phishing messages to employees in payroll or human resources departments, the criminals request a list of all employees and their W-2 forms.

The scam, sometimes referred to as business email compromise (BEC) or business email spoofing (BES), first appeared last year. This year, it’s not only being sent to a broader set of intended victims; it’s also being sent out earlier in the tax season than last year.

In a new twist, this year’s spam scamwich also features a followup email from that “executive”, sent to payroll or the comptroller, asking for a wire transfer to a certain account.

The wire transfer scam isn’t tax-related: it’s just hitching a ride on the tax-related W-2 scam. Some companies have been swindled twice: they’ve lost both employees’ W-2s and thousands of dollars sent out via the wire transfers.

The IRS is telling organizations that receive the W-2 scam emails to forward them to [email protected], with the subject line of “W2 Scam”.

If your business has already fallen for the scam, it can file a complaint with the Internet Crime Complaint Center (IC3), operated by the FBI. Employees whose W-2 forms have been stolen should review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.

The IRS says that employees should also file a Form 14039 Identity Theft Affidavit (PDF) if their own tax returns get rejected because of a duplicate Social Security number or if instructed to do so by the IRS.

How to sidestep the scam

But before you even get to the sad state of having to file a report about getting ripped off, it’s better to avoid falling for the bait in the first place.

Unfortunately, that’s getting tougher as crooks get more and more cunning. Case in point: the carefully crafted, well-disguised attack that led to the hacking of Clinton campaign chair John Podesta’s Gmail account. The attack relied on a shortened Bitly link to mask nefarious HTML code.

Screenshots of the Bit.ly link used against Podesta show that even the longer links hiding behind rigged Bitly links can be made to look, to an untrained eye, like they’re legitimate.

One step that can protect against phishing attacks is to pick proper passwords. Even though strong passwords don’t help if you’re phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.

Use two-factor authentication whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.

Also, consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.

Our tips for avoiding getting bitten by Phishing scams + links:

  • make sure you trust the source
  • view the email headers if you are not sure about the source
  • be wary of ‘masked’ or hidden links which use URL shorteners
  • double-check the links and maybe view the source
  • If in doubt, call the person or company that you think the email might be from – ask them to verify that they sent you an email, and ask them what the contents are concerning *BEFORE* you click on links which you think might be suspicious!
  • ALWAYS make sure your operating system, Java, Flash, Microsoft Office and Antivirus are up to date

Ready for the right solutions?

It’s time to offload your technology troubles and security stress.

"*" indicates required fields