The IRS has launched its annual campaign to raise awareness of tax scams that are highly prevalent during tax season. The Dirty Dozen campaign details 12 common tax scams that taxpayers, tax professionals and businesses need to be aware of and take steps to avoid.
In the run up to the deadline for submitting 2018 tax returns, cybercriminals increase their efforts to obtain the personal information of taxpayers. The information can be used to submit fraudulent tax returns in victims’ names and to commit identity theft.
The campaign started on March 4, 2019. The IRS will be releasing information on the 12 most common scams for 12 consecutive weekdays. The campaign kicked off with a warning about the most common method of obtaining tax information: Phishing attacks.
Phishing is a tactic used to fool people into divulging sensitive information. Phishing is most commonly conducted via email, although attacks can also occur via social media networks, SMS messages (SMiShing), and telephone calls (Vishing).
Phishing tax scams are commonplace. Scammers impersonate the IRS and attempt to fool users into visiting phishing websites where they are required to divulge sensitive information. Direct requests for information are also sent via email. The latter is common in attacks on businesses.
Two common IRS impersonation attacks involve emailing a taxpayer claiming they have overpaid tax and have a refund pending. In order to get the refund, taxpayers are required to visit a website and confirm their identity by providing personal information. An alternative scam threatens taxpayers with fines if they do not make contact over a tax issue. Again, the aim is to obtain personal information.
A new scam has been detected by the IRS this year that targets tax professionals. Cyberattacks are conducted to gain access to their networks to steal clients’ tax information. Fraudulent tax refunds are then filed, and the IRS makes payments via direct deposit to the taxpayers’ bank accounts. The scammers then make contact with the taxpayers and claim that the payment has been made in error and must be returned. They claim to be from a debt collection agency used by the IRS and convince taxpayers to transfer the payment to their account.
Business email compromise (BEC) and business email spoofing (BES) attacks are also commonplace. The former involves gaining access to the email account of the CEO or CFO via a spear phishing campaign and sending an email to the payroll/HR department requesting the W-2 form data of employees be sent via email. BES attacks are similar, except the email address of an executive is spoofed.
More than 100 of these attacks were successful last year and resulted in the theft of hundreds, and in some cases thousands, of employees’ tax information.
The IRS has advised taxpayers, tax professionals, payroll offices, and human resources departments to be on high alert for tax scams and phishing attacks and to report cases of spoofing of the IRS via the IRS website or by sending an email scam to [email protected]
The IRS has confirmed that it does not initiate communications via email asking for taxpayers to provide their personal information. Any such email received should be treated as a possible tax scam. Links should not be clicked, email attachments should not be opened, and the IRS should be contacted on a verified phone number to find out if there is a problem. Alternatively, taxpayers can login to their online tax account on the IRS website to check if there is a genuine tax problem.