As tax season begins to hit full swing, the IRS is warning filers and professionals about familiar phishing scams and some new ones, particularly in the wake of major data breaches in the past year.
The warning comes this week as part of the rollout of IRS’s “Dirty Dozen” list of tax scams, which has historically focused on basic but timeless techniques like spoofed phone calls but has since evolved to modern scams, like phishing.
Tax season, the IRS said, comes with a major increase in these phishing attempts, through which a bad actor attempts to steal information by misrepresenting themselves in the digital space through email, text messages, websites, social media and more.
“Taxpayers should be on constant guard for these phishing schemes, which can be tricky and cleverly disguised to look like it’s the IRS,” said IRS Commissioner Chuck Rettig. “Watch out for emails and other scams posing as the IRS, promising a big refund or personally threatening people. Don’t open attachments and click on links in emails. Don’t fall victim to phishing or other common scams.”
In light of massive data breaches last year — such as those involving Facebook, Marriott and Quora — the IRS says the taxpayers and preparers should be extra vigilant as criminals could use information obtained in those breaches to fuel a tax scam. “Data breach thefts have given thieves millions of identity data points including names, addresses, Social Security numbers and email addresses,” the agency says.
This year, the agency has noticed some new and evolving phishing scams making rounds, such as one in which the fraudster, after getting personal information from a victim, uses a taxpayer’s bank account against them.
“After stealing personal data and filing fraudulent tax returns, criminals use taxpayers’ bank accounts to direct deposit tax refunds,” explains an IRS release. “Thieves then use various tactics to reclaim the refund from the taxpayer, including falsely claiming to be from a collection agency or the IRS.” The agency warns taxpayers to vigilant for this new variation of phishing by checking their bank accounts for unexpected direct deposits regularly.
Those on the other side of the tax-filing process, like tax and human resources professionals, should be on the watch for phishing as well, the IRS warns, saying its seen “more advanced” schemes targeting them, like what it calls business email compromise or spoofing. Through these techniques, criminals pose as a business seeking payment on an invoice, an employee needing to re-route a direct deposit or someone a taxpayer has entrusted to perform a wire transfer.
As always, if a taxpayer or professional encounter or suspect a phishing attempt using the IRS’s name or association, they should report it to firstname.lastname@example.org. The agency also reminds: “The IRS generally does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.”