The U.S. Internal Revenue Service (IRS) has issued a warning following a massive increase in SMS-based phishing (smishing) attacks over the past few weeks. The IRS-themed messages include links to malicious websites that attempt to steal sensitive personal and financial information.
The IRS says it observed an increase in smishing attacks on taxpayers in the fall of 2020, with the attacks continuing throughout the pandemic, but this year has seen a major increase in attacks, especially over the past few weeks. Thousands of fraudulent domains have been identified by the IRS in 2022 that are sent in smishing messages, with the past few weeks seeing an exponential rise in attacks.
The messages appear to have been sent by the IRS and use a variety of lures to get taxpayers to visit the malicious websites, such as offers of COVID-19 relief, assistance setting up online IRS accounts, and notifications about tax credits to name just a few. If the recipients of the messages click the links, they are directed to websites that spoof the IRS and other entities and attempt to trick taxpayers into disclosing sensitive information or downloading malicious code to their mobile phones.
“This is phishing on an industrial scale so thousands of people can be at risk of receiving these scam messages,” said IRS Commissioner Chuck Rettig. “In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity.”
The IRS said it will never send SMS messages or emails to taxpayers that require them to disclose sensitive personal or financial information such as bank account numbers. Any such request should be a red flag that the request is not what it seems.
The IRS works to shut down online fraud and get the malicious domains taken down, but cybercriminals are constantly changing their tactics and are coming up with new ways to stay one step ahead, such as the use of algorithms to generate hundreds or even thousands of fraudulent domains for use in their smishing scams. The IRS identified one campaign that used around three dozen email addresses to create more than 1,000 fraudulent domains for use in the scams.
The IRS encourages the reporting of all scams impersonating the IRS, ideally by copying the message and pasting it into an email. This will allow the IRS to take action to shut down the scams and get the websites taken down.
The IRS says recipients of these phishing messages should:
- Create a new email to [email protected].
- Copy the caller ID number (or email address).
- Paste the number (or email address) into the email.
- Press and hold the SMS/text message and select “copy”.
- Paste the message into the email.
- If possible, include the exact date, time, time zone, and telephone number that received the message.
- Send the email to [email protected].
“Taxpayers and tax pros need to remain constantly vigilant with suspicious IRS-related emails and text messages. And if you get one, sending the IRS important details from the text can help us disrupt the scams and protect others,” said Rettig.