Cybercriminals Propagate Tax Scams: Ways to Spot and Combat Them

With the filing deadline quickly approaching this tax season, cybercriminals are beefing up their usual scams by increasing the frequency of their phishing attacks.

Nathan Eddy, Freelance Writer

March 30, 2023

5 Min Read
1040 individual income tax return with crime scene tape. Identity theft, tax fraud and cybercrime concept
JJ Gouin via Alamy Stock

Tax season provides a unique opportunity for hackers to capitalize off millions of Americans handling and submitting personal banking information, creating a perfect storm of factors that scammers take advantage of to prey on stressed taxpayers.

These factors range from the complexity of tax laws to the ready exchange of sensitive personal, business, and financial information.

Malicious actors perpetrate scams using phishing attacks where they pose as members of the IRS to trick taxpayers into sharing sensitive financial information such as Social Security numbers or personal bank account information.

They’re also exploiting unsecured networks or websites that consumers and businesses use to file taxes, as well as launching tax-themed malware that can infect devices and steal information including login credentials. 

Taking Advantage of Urgency

Lisa Plaggemier, executive director of the National Cybersecurity Alliance (NCA), explains the urgency of tax seasons can also result in individuals falling for other common scams.

Among these are opening attachments that install malware onto the target’s smartphone or computer or inputting sensitive information onto a malicious site.

“Scammers love to pose as the IRS using unsolicited emails, calls, texts, or direct messages that prompt you to share valuable personal and financial information are very likely scams,” she says. “One of the biggest red flags that you are being targeted for an IRS scam is that you get a phone call or message from a supposed-IRS representative without receiving any mail from the agency.”

She adds the IRS will also never email, text, or direct message you -- other warning signs include requests for data.

“Be extremely suspicious of any communications that ask you to provide personal information such as bank account information, Social Security numbers, login credentials, or mailing addresses,” Plaggemier says. “Finally, scammers use urgency and other scare tactics to obtain information. Their goal is to make you panic and stop thinking clearly.”

Spotting Red Flags, Using MFA

Darren Guccione, CEO and co-founder at Keeper Security, explains the increasing reliance on digital services to file taxes and share documents also opens new avenues for cybercriminals and scammers to get their hands on your information.

“This is especially true if they can gain access to online accounts that house tax forms like a workplace portal or your bank,” he says.

He adds that’s why it’s important to protect all accounts with strong, unique passwords and multi-factor authentication (MFA).

“Look out for the classic red flags of a phishing scam, including poor grammar issues or links that show an unusual address when you hover over them,” Guccione adds.

Along with impersonating the IRS, scammers may also pose as tax professionals, where signs of fraud include promises of bigger tax returns and a lack of credentials, such as a Preparer Tax Identification Number (PTIN).

Mika Aalto, co-founder and CEO at Hoxhunt, points out tax phishing attacks typically come in two varieties of hooks: the fake refund, and the false tax penalty.

“We see more fake refunds, but both are dangerous,” he says. “With a tax refund phish, the victim receives a notification from the IRS that they have been awarded a refund and must urgently click the link to collect it.”

This link could contain malware, or it could lead the victim to a credential harvesting site that attackers use to collect highly sensitive information such as social security numbers and bank accounts. 

Keeping Tax Information Secure

Plaggemier says cyber tax scams can be damaging because they target taxpayers financially and if successful, can gain access to the individual’s funds.

“Consumers should get an identity protection PIN from the IRS to keep online tax information secure,” she advises. “If an individual has fallen victim to a tax scam, they should report it to the IRS immediately.”

She says while cyber criminals haven’t necessarily changed their strategies in tricking taxpayers to divulge information, they’ve just gotten better at fooling them.

“Advancements in technology have enabled cybercriminals to target consumers at a greater rate and speed, increasing the chances of success,” Plaggemier says. “And while there are methods such as MFA to verify identities, not all Americans are using them even during tax season.”

She advises consumers and businesses to invest in services and software that confirm identities, such as MFA.

“Businesses and the government should also constantly monitor for upticks in tax scams and explain to employees and consumers alike the common scams that are out there and how to combat them,” she adds.

Keeping Calm Amid Pressure Tactics

Aalto explains tax phishes typically harvest personal info such as name, address, phone number, and Social Security number, in addition to banking details.

“Any attachments containing macros should be avoided,” he advises. “Take your time and contact the tax authority yourself by navigating to the IRS website and looking up the contact information without clicking any links in the email.”

He says tax authorities will never demand an immediate payment online, but attackers will typically fabricate a false deadline to collect an imaginary refund or avoid a non-existent tax penalty.

They will certainly not demand payment via cryptocurrency or gift cards, or instruct an urgent payment over the phone, as some vishing attacks do.

“If you find yourself feeling immense pressure to act immediate deadline from an email from a supposed tax authority, take a breath and investigate the sender field and hover over the link you’re being pushed to click,” Aalto says.

What to Read Next:

Iowa to Enact New Data Privacy Law: The Outlook on State and Federal Legislation

Special Report: Privacy in the Data-Driven Enterprise

What Does the Arms Race for Generative AI Mean for Security?

About the Author(s)

Nathan Eddy

Freelance Writer

Nathan Eddy is a freelance writer for InformationWeek. He has written for Popular Mechanics, Sales & Marketing Management Magazine, FierceMarkets, and CRN, among others. In 2012 he made his first documentary film, The Absent Column. He currently lives in Berlin.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights