Beware These Tax-Season Phishing Scams

Tax season provides criminals with great opportunities for social engineering; American income taxes are complicated to calculate and file, and people have been trained from a young age by pop-culture to fear the IRS. It should be no surprise, therefore, that every year around this time crooks launch a significant number of tax-related phishing attacks. In fact, according to the IRS, last year, tax-season phishing and related scams surged by 400%.

While you should always be cautious and exercise healthy distrust of emails asking you to take any action that may be harmful if performed at the request of an unauthorized party, tax season requires extra diligence when it comes to tax-related scams. So, as tax season commences, here are some variants of phishing emails of which to be especially wary – and to train your friends and colleagues to recognize as scams:

Tax Refund Scam

This scam exploits people’s desire to receive free money. By telling people that they are due some particular refund by either the IRS or a State Authority but must read some document to understand how to receive their money, or must open and complete a form to actually claim it, this scam tricks people into either opening an email attachment or clicking a link to a rogue website – both of which lead to malware being installed on the user’s device, not a refund being paid. Some variants of this attack deliver ransomware, some deliver Remote Access Trojans, and some deliver spyware/keyloggers. Some variants may, instead of installing malware, or in addition to it, attempt to collect personal information via web-based forms or by asking would-be-victims to email such information to a particular address (which, naturally, is not an official irs.gov address). Don’t fall prey to any of these; the IRS never notifies people by email that they are owed money.

W2 scams

These phishing emails attempt to convince people working at a business to send the W2s for the organization’s employees to a particular email address, or to upload them to a particular website. Often these emails impersonate a senior executive within a firm, and are sent as “spear phishing” attacks to people in its accounting department. Never send out W2s to anyone without verifying the validity of a request directly with an authorized party in person, by video conference, or by telephone (with you calling the authorized party, not the other way around – and only if you are absolutely certain that you can recognize that party’s voice) in addition to getting the request in writing.

Update information scam

This phishing attacks tries to trick people into believing that they must log into the IRS and update their information in order to be able to e-file their taxes this year. Of course, it is not the IRS that is contacting them – nor into which they are being asked to log in and enter personal information.

Your payment was not received scam

This scam tricks people into thinking that some payment that they made to the IRS was not received, and if they do not take action right now they will get hit with big fees or get into other legal trouble. The scam attempts to exploit people’s dropping of their guard when they feel a sense of urgency or panic. Some variants of this scam contain malware-infected attachments, others link to malware-delivery sites, and others require submitting personal information in some form.

Your payment was short or late scam

Similar to the aforementioned “Your payment was not received scam,” this scam tricks people into thinking that they must take immediate action; variants of this attack may convey that late fees will grow dramatically if some balance is not paid, or that people may face arrest if they do not act immediately to follow the email’s instructions. Of course, like other IRS phishing scams, this one also delivers malware or collects personal information.

IRS policy change notice scam

This is a scam that tricks users into installing malware by sending them a notice that the IRS has changed some policy or policies, and users need to take some action to conform. This year, a common version of this scam claims that the IRS’s privacy policy has changed as a result of the Presidential election – exploiting the fact that Americans were bombarded during the election cycle with talk about each candidates’ desired tax-law changes, thereby creating an atmosphere in which people assume that there may be changes at the IRS due to the election. Of course, the IRS does not convey any changes in tax law or privacy policy by sending out policy change emails that require opening attachments or logging into websites – so don’t fall prey to the scam. Do not open attachments sent to you – or whose links were sent to you – by “the IRS;” go to the IRS’s website and directly search for any information that you need.

“Tax Transcript” account info scam

People applying for financial aid to colleges and other schools are often required to submit IRS tax transcripts. These reports can be ordered online, and the IRS does send various confirmation emails related to establishing the accounts used to order them. (Of course, the IRS never emails the actual transcripts.) Scammers may send out phony account registration or password reset emails, in an effort to either collect login information, or to get people to install malware. People who have recently made IRS transcript and related requests are especially vulnerable to being duped by this scam. Don’t fall for it – as with the policy change notice scam, go to the IRS’s website directly. Do not click links in emails sent to you by “the IRS,” and do not open attachments in emails that appear to come from the agency.

“Tax Profile” scams

This scam involves sending people emails that their “tax profiles has surpasses (sic.) IRS policies” or some similar (and, sometimes, nonsensical) language. The IRS doesn’t send emails out about “tax profiles” — ignore any email of this sort – it is a scam.

Refund change scam

This scam involves crooks impersonating taxpayers and sending emails to accountants and other tax-related service providers asking them to change the destination accounts to be used for tax refunds. Of course, the accounts that the crooks want the refunds to be sent to are controlled by the criminal (the account may even be a pre-paid debit card). If you are a tax preparer, always confirm any such request by speaking with the requester – in person, by video conference, or by telephone (with you placing the call, not the other way around – and only if you are absolutely certain that you can recognize that party’s voice) in addition to getting the request in writing.

In all cases, if you receive a possible phishing email, consider forwarding it to the IRS’s anti-phishing department at phishing@irs.gov.

This post was brought to you by the IBM Security team. For more content like this visit Security Intelligence.