Security Spotlight: Avoiding Tax-Related Scams

Share with your network!


It’s that most stressful time of the year for millions of Americans: tax season. As you search for deductions and gather your W-2s, 1098s, and 1095s, you should also be on the lookout for bogus Internal Revenue Service emails, phone calls, and tax-related scams.

Earlier this month, the IRS released a series of alerts about their so-called “Dirty Dozen” list of tax scams — and phishing emails and vishing (voice phishing) calls were headliners. And just last week, the agency warned that there has been a 400% increase in phishing and malware attacks so far this year. The 1,389 scams that were reported between January 1 and February 16 top the total number of reported scams in 2014 and represent nearly half of the total reported in 2015.

This alarming trend is an indication that tax payers need to be extra vigilant this year. Because although these malicious communications tend to spike at this time of the year, fraudsters use them year-round — mainly because they work.

How to Protect Yourself

The most important thing to do with unsolicited emails and phone calls — particularly those that prompt you to divulge personal or financial data — is to treat them as though they are a threat to your personal data security. Many of the tax-related scams will use scare tactics and threats, or lure you with the promise of a large refund. And they can appear — through “From” address and Caller ID spoofing techniques — to come from a trusted source.

These tips can help you protect your personal data and prevent identity theft:

  • According to the IRS website, the agency “doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information,” including passwords, PIN numbers, or account numbers. If you receive an unsolicited message from the IRS that requests sensitive data, report it (see below), then delete it.
  • Fraudsters have been known to pose as tax preparers in order to obtain sensitive information. Before you turn over any personal data, you must confirm that the request is legitimate. Make contact through a known, trusted channel (e.g., a confirmed email address or phone number).
  • Scammers will go to great pains to make their communications and websites seem legitimate. Logos and familiar-looking login screens cannot be trusted at face value. When you are dealing with your personal and financial data, you should avoid clicking on links in unsolicited messages. Instead, type a known address into your browser or use an established bookmark.
  • If you receive a suspicious call or email while at work, alert your IT department immediately as there’s a chance that others employees will also be contacted. Follow your organization’s guidelines for reporting phishing emails and other potentially fraudulent activities.

If you receive an unsolicited communication from the IRS — by email, phone, mail, or otherwise — do not act on it. In addition to alerting your security team if it happens at work, you should report the communication to the agency directly. Suspected phishing emails should be forwarded to and then deleted. For instructions about how to report vishing calls and other IRS scams, visit the Reporting Phishing and Online Scams page on the IRS website.

We hope you will consider sharing this blog post and the following infographic with your end users as well as friends and family in order to help curb the rise in successful social engineering attacks during this tax season and beyond.

Wombat's Tips for Avoiding IRS Scams


We are a leader in security awareness and training, and our methodology reduces risky end-user behaviors.