1. Home
  2. News
  3. Scams

The IRS forewarns of new email phishing scams

The agency is happy to review any suspicious email a taxpayer receives

Photo (c) Karen Roach - Fotolia
Merry Scam’mas!

Yep, ‘tis the season to be victimized, and the identity-stealing elves are working overtime.

In the last month alone, ConsumerAffairs has reported on several phishing and email scams. Now, the Internal Revenue Service (IRS) is checking in to remind consumers that, come holiday season, all bets are off.

“The holidays and tax season present great opportunities for scam artists to try stealing valuable information through fake emails,” said IRS Commissioner Chuck Rettig. “Watch your inbox for these sophisticated schemes that try to fool you into thinking they’re from the IRS or our partners in the tax community. Taking a few simple steps can protect yourself during the holiday season and at tax time.”

Of all the U.S. government agencies, cyber scammers seem to love the IRS more than the others. Attempts to bilk taxpayers have risen 60 percent in 2018 alone.

As ConsumerAffairs readers know, IRS scams come in many forms. There’s the kind where scammers try to capitalize on a national tragedy to bilk consumers; the impostor scam where a supposed someone from the IRS tries to scare you into paying; and the W-2 scam where the scammer asks an employee to send a list of all company employees with their W-2 forms in order to pilfer multiple identities.

“These schemes can endanger a taxpayer’s financial and tax data, allowing identity thieves a chance to try stealing a tax refund,” the IRS said.

Forewarned is forearmed

The IRS can’t emphasize the importance of being cautious enough.

“There is no fool-proof technology to defend against [these attacks.] Users are the main defense. When users see a phishing scam, they should ensure they don’t take the bait,” the IRS reminds consumers.

Here are a few steps the IRS suggests consumers take to protect against phishing and other tax-related schemes:

  • Be vigilant; be skeptical. Never open a link or attachment from an unknown or suspicious source. Even if the email is from a known source, approach with caution. Cybercrooks are adept at mimicking trusted businesses, friends, and family -- including the IRS and others in the tax business. Thieves may have compromised a friend’s email address, or they may be spoofing the address with a slight change in text, such as name@example.com vs narne@example.com. In the latter, merely changing the “m” to an “r” and “n” can trick people. Another telltale sign that a scammer is on the other end of the email are grammar and spelling errors.

  • The IRS doesn't initiate spontaneous contact with taxpayers by email to request personal or financial information. This includes asking for information via text messages and social media channels. The IRS does not call taxpayers with aggressive threats of lawsuits or arrests.

  • Phishing schemes thrive on people opening the message and clicking on hyperlinks. When in doubt, don’t use hyperlinks; instead, go directly to the source’s main web page. Remember, no legitimate business or organization will ask for sensitive financial information via email.

  • Use security software to protect against malware and viruses found in phishing emails. Some security software can help identify suspicious websites that are used by cybercriminals.

  • Use strong passwords to protect online accounts. Password breaches continue to happen, and the IRS emphasizes that each account should have a unique password. Use a password manager if necessary. Criminals count on people using the same password repeatedly, giving crooks access to multiple accounts if they steal a password and creating opportunities to build phishing schemes. Experts recommend the use of a passphrase, instead of a password. You can do this by using a minimum of 10 digits, including letters, numbers, and special characters. Longer is better.

  • Use multi-factor authentication when offered. Some online financial institutions, email providers, and social media sites offer multi-factor protection for customers. Two-factor authentication means that in addition to entering your username and password, you must enter a security code generally sent as a text to your mobile phone. Even if a thief manages to steal usernames and passwords, it’s unlikely the crook would also have a victim’s phone.

If taxpayers question the validity of any email, the IRS has staff on-call to review those emails. Taxpayers can forward these email schemes to phishing@irs.gov and the IRS will authenticate those messages.

Take a Home Warranty Quiz. Get matched with an Authorized Partner.