We’re vulnerable because taxes are scary and complicated. We’re afraid to make mistakes, miss deadlines, accrue penalties, or, heaven forbid, be audited.
This tax season, you might receive an email from the Tax Advocacy Panel (TAP) about a big, juicy tax return. You’ll be asked to provide personal information, including your social security number. But you won’t receive a single dime – because this is one of seven scams that the IRS has added to its Tax Scams/Consumer Alerts list.
For scammers, tax season is a buffet of phish and checks. In a “phishing” attack, attackers pretend to be someone they’re not – a trusted authority like a tax official, accountant, bank, or, in the above case, a volunteer board that advises the IRS. The phishers invent bait, which is usually a story that will lure you into disclosing personal information or clicking a malicious link.
We Americans are the phish. We’re vulnerable because taxes are scary and complicated. We’re afraid to make mistakes, miss deadlines, accrue penalties, or, heaven forbid, be audited. The government asks us to disclose our most personal financial information on pieces of paper that disappear into the invisible machinery of the American tax system. This create infinite angles and opportunities for phishing attacks.
The phishers have become extremely sophisticated. They might impersonate your CEO or claim to be IRS employees and give a bogus badge number. They may spoof their caller ID system so that “IRS” pops up on your phone screen. Most eerily, they might know a lot about you. Between Facebook, LinkedIn, Twitter, and other public sources, they can piece together who you are and who you interact with regularly.
Tax scammers have one of three goals when they email, call, or send you a letter. First, they may want to steal your social security number so they can send a fraudulent return. Typically, they attempt this in January or February, so that Uncle Sam will send them a tax credit before you file your return. The IRS estimates that in 2013, it paid out $5.8 billion later determined to be fraudulent.
Second, the scammers may try to steal your identity for a multitude of purposes. They’ll try to get your SSN, credit card info, bank information, and anything else they can use to impersonate you. To do this, they bait you into clicking a link that leads to an official- looking website, which is prepopulated with your name, address, and phone number. They just need you to “confirm” the information and add or “correct” the sensitive information they want.
Third, the techiest scammers may try to penetrate your personal or company computer system. They need to trick you into downloading malware. The malicious software might snoop on your passwords or lock down your computer and hold it for ransom. Some malware can even force your computer to mine bitcoins, route transactions, or do other sketchy tasks.
So how do we prevent these attacks? Our game plan is to be vigilant and look for red flags, which we can split into three categories:
1. Technical Warning Signs
Most tax season scams arrive via email. The scammers use graphics that make it look just like a real message from the IRS, TAP, your state treasury, or whomever they wish to impersonate.
Whatever you do, do not left click a link or open an attachment without first taking precautions. If there’s a link, right click it to view or copy-paste the actual URL somewhere safe (a Word document or the Google search box would be fine). Does it lead to a legitimate website? An extension like like .cn (China) or .ru (Russia) is a sure sign trouble.
If you use e-fax, yes, you may receive attachments in tax-related emails. But if your e-fax software always converts documents into PDFs, don’t trust any other file type. In any tax- related email, treat .EXE, .MSI, or zip files with extreme caution.
2. Human Warning Signs
Tax officials can be belligerent on the phone, and scammers know this. However, the IRS and state tax agencies will not cross certain lines. They will not demand immediate payment without mailing you a statement. They will not require payment without giving you a chance to appeal the request. They won’t force you to use any particular payment method, and certainly not an odd one like Western Union. And no, they will not threaten to send the police for you.
Not all scammers use fear tactics. Some might try to make you think that Uncle Sam is being generous. For instance, they’ll claim that you owe the government $10,000, but if you remit a payment within 48 hours, $5,000 will be sufficient. Again, tax officials can be aggressive, but they don’t make ‘deals’ like that.
Most scammers have a strong command of English now. Still, odd salutations (Respected Sir/Madam), obvious grammar errors, and weird syntax appear, and they point to trouble.
Whether you spot a technical or human red flag, err on the side of caution. Over the phone, ask the tax official to provide a name, badge number, call back number, and caller ID. Then call the IRS at 1-800-366-4484 to verify the information. You can ask about sketchy emails and URLs. It’s bad to fall for a scam, but doubting, offending, or blowing off legitimate IRS employees could end up worse.
This tax season, treat every email, call, and letter with healthy skepticism. Invest time in vetting suspicious messages to save yourself from the misery of dealing with tax fraud, recovering your identity, or negotiating with a digital hijacker. Don’t be a phish, and beware of where you send your checks.