It is tax season in the United States, which means both businesses and individuals are at risk of being conned out of their money or data. Learn about five popular email scams that will likely make the rounds.
It is tax season in the United States — and cybercriminals all over the world know it. For them, it is time to ramp up efforts to scam people out of their money or data. Initially, hackers mainly targeted individual taxpayers, but that has changed. Nowadays, businesses are common marks as well.
Here are five popular email scams that cybercriminals have used in the past to steal personal data and money during tax season. Since the scams were successful in the past, hackers will likely use them again in the future.
Businesses use W-2 forms to report employees’ earnings and tax withholdings to the US Internal Revenue Service (IRS), so cybercriminals often use these forms in their scams. Posing as an executive or another person in authority at a business, hackers send an email to the company’s payroll staff requesting copies of employees’ W-2 forms.
Many businesses have fallen victim to this scam, prompting the IRS to call it “one of the most dangerous phishing emails in the tax community”. The emails are very effective because cybercriminals take the time to study their marks and make preparations. For example, they usually spoof or hack the executive’s email account as well as personalize the W-2 request so it sounds plausible. That way, the payroll staff is less likely to question the email’s legitimacy.
With the recent release of the new IRS W-4 form, experts expect that cybercriminals will adapt this scam to request copies of W-4 forms. Like W-2 forms, W-4 forms contain employees’ social security numbers and other personal information, which hackers use to file fraudulent tax returns, steal people’s identities, or sell on the dark web.
In 2019, hackers launched many different types of IRS impersonation email scams. Here is how one common variation works: Pretending to be from the IRS, hackers send emails that contain subject lines like “Automatic Income Tax Reminder” or “Electronic Tax Return Reminder”. These unsolicited emails contain links to spoofed IRS websites and a password that recipients need to use to access files about their tax accounts, electronic returns, or refunds on those sites.
People who fall for the scam have their computers infected with various types of malware. For instance, the malware might be a remote-access tool that lets hackers take control of their computer or a keylogger that tracks their keystrokes.
In another common impersonation scam, cybercriminals send out phishing emails pretending to be from “IRS Online”, a non-existent entity. The emails contained subject lines that include the phrase “tax transcript” (the IRS’s term for a tax return summary) as well as attachments named “Tax Account Transcript” or something similar.
The attachments are laced with Emotet, a banking trojan used to steal sensitive information. Once on a computer, it is designed to spread to other machines in a local network. As a result, Emotet is one of the most costly and destructive malware programs affecting organizations, according to the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the US Department of Homeland Security.
Although the Taxpayer Advocacy Panel (TAP) email scam first appeared in 2016, it has continued to pop up in email inboxes every year since then. In this scam, people receive emails supposedly from the Taxpayer Advocacy Panel (TAP) about their tax refunds. These emails try to trick recipients into clicking a link that leads them to a site where they are asked to provide personal and financial information.
Although TAP is a real group, it is not part of the IRS. It is a Federal Advisory Committee under the authority of the US Department of the Treasury. TAP members are volunteers who listen to taxpayers’ concerns to identify common issues and make recommendations for improving the IRS service and customer satisfaction. TAP members are not involved in providing tax refunds — nor do they request personal or financial information from taxpayers.
Cybercriminals are increasingly targeting tax accountants and other professionals working in tax preparers’ offices. Hackers often use phishing emails to trick the tax professionals into providing their account passwords, Electronic Filing Identification Numbers (EFINs), Centralized Authorization File (CAF) numbers, and other sensitive data. The cybercriminals then use this information to access the systems in which the tax firms store their clients’ data. Once inside, the hackers steal the clients’ personal information, including their social security numbers. The cybercriminals often sell this data on the dark web. They also might use it to file fraudulent tax returns or steal people’s identities.
Don’t Become the Next Victim
While email scams are common during tax season, you and your employees can take some simple measures to avoid becoming the next victim. Most important is knowing how the IRS does and does not contact taxpayers.
The IRS does not initiate contact with taxpayers by email, text messages, or social media channels. Instead, it typically uses mail. “The IRS initiates most contacts with taxpayers through regular mail delivered by the U.S. Postal Service. However, there are special circumstances in which the IRS will call or come to a home or business,” according to the IRS. “Even then, taxpayers will generally first receive a letter or sometimes more than one letter, often called notices, from the IRS in the mail.”