Tax season is here. And it presents a great opportunity for cyber criminals. Many cyber criminals ramp up their efforts to trick people into clicking malicious links or providing their business or personal information. Scammers know many people are expecting to receive tax-related correspondence, such as messages from government tax agencies. Targeting individuals’ personal or business email accounts with tax-related phishing emails is a tactic that threat actors commonly use. The National Cybersecurity Alliance and the Internal Revenue Service (IRS) want to help you stay safe online while filing your taxes with these best practices, tips, and resources.
Tax Tech Tips
- Request your employer sends your W-2 electronically in a secure fashion - If this is not an option, keep your address up-to-date so your W-2 is not sent to the wrong address.
- Use strong and unique passwords, and NEVER share them. Create long and unique passphrases for all accounts and use multi-factor authentication (MFA) wherever possible. MFA will fortify your online accounts by creating an extra layer of security, such as a unique one-time code sent to your phone. Most major email and online tax preparation services have this tool available.
- Install a Password Manager - Remembering unique passwords for accounts is difficult. Store your login credentials in a password manager. Password managers will automatically populate your username and password upon login, and even recommend strong new passwords for each account.
- Use an encrypted Internet connection - Use secure Internet commerce websites; they normally contain "https" in the web address.
- Know how - to spot phishing emails.
- Don't Wait to Update! Before filing your taxes at home or work, be sure that all internet-connected devices ‒including PCs, smartphones and tablets ‒ are running the most current versions of software to improve the performance and security of your devices
Watch out for Scams
Scammers using these tactics generally attempt to create a sense of urgency, or have a good story that would tend to compel you to disclose personal information such as such as your date of birth, social security number, driver’s license number, or even usernames and passwords to your accounts.
Unsolicited emails, calls, or texts that prompt you to click on a link or share valuable personal and financial information are very likely scams. With your personal data, online thieves can swindle funds and/or commit identity theft.
Be skeptical of any phone calls, emails, or texts claiming to be from the IRS, or other government agencies. Almost all contact from the IRS will be initiated via the U.S. Postal Service. They will only call once they have established a line of communication with you via physical mail first. The IRS will not demand you make an immediate payment to a source other than the U.S. Treasury. Unscrupulous callers claiming to be federal employees can be very convincing by using fake names or phony ID numbers. If you are unsure if the caller is legitimate, hang up, look up the direct number for the agency online, and call that source to verify.
- All emails and texts should be carefully inspected, especially those claiming to be from the IRS; as noted above, the IRS does not send emails or text messages.
- Do not provide personal information via email.
- Carefully inspect URLs before clicking on links in tax-related search results; scammers have been known to set up impersonation websites of legitimate tax preparation companies.
- Don’t take the call: The IRS will not call you. If someone calls claiming to be from the IRS, do not provide any information; promptly hang up.
Common Scams
- Refund Calculation Scam: “The IRS recalculated your refund. Congratulations, we found an error in the original calculation of your tax return and owe you additional money. Please verify your account information so we can make a deposit.”
- Stimulus Payment Scam: “Our records show that you have not claimed your COVID-19 stimulus payment. Please provide us with your information so we can send it to you.”
- Verification Scam: “We need to verify your W-2 and other personal information. Please take pictures of your driver’s license, documents, and forms and send them to us.”
- Gift Card Scam: “You owe us back taxes and may be charged with a federal crime. You must pay a penalty to avoid being prosecuted. Purchase these gift cards and send them to us and we will wipe your record clean.”
- Fake Charity Scam: Scammers pose as a legitimate charity, often with a similar name as a real charity, to trick you into donating money to their own cause–filling their pockets.
- Fake Tax Preparers: Watch out for tax preparers that refuse to sign the returns they prepare. If they gain access to your information, they may file fraudulent tax returns redirecting your refund or attempt to access your bank accounts.
Other Red Flags
Hopefully you have avoided the common tax scams, but the cyber criminals may have other methods of obtaining your information, such as data breaches of companies you do business with. Watch out for these warning signs that you may already be a victim.
- You attempt to file a tax return, either online or by mail, but are informed by the IRS or your state that they have already received one.
- You are informed by the IRS that an account has been registered in your name at IRS.gov even though you have never created one.
- You receive a transcript from the IRS that you did not request
Additional Warning Signs to be aware of:
Requests for PII - Personally Identifiable Information (PII) refers to any data that could potentially identify a specific individual.
Urgency - The sender uses an abnormal sense of urgency, or other scare tactics, to obtain information.
Attachments - The message includes an attachment, such as a PDF. Never open attachments from a suspicious or unknown email address. It may download malware or viruses onto your device.
Report IT
Personal E-mail - You can report IRS, Treasury or tax-related phishing scams to phishing@irs.gov. Report phishing helps prevent future phishing attempts and protect others. Once you report a phish, delete it.
Work E-mail - If you receive an email to your USNH or component institution e-mail you think may be a phishing attempt, you can follow the steps on our USNH PhishBowl page to report it to Cybersecurity in addition to reporting to the IRS. You can also check the PhishBowl to see other phishing attempts reported by the USNH community.
The IRS has also published information regarding Tax Scams/Consumer Alerts.