Avoiding Tax Season Phishing Scams


With tax season now in full swing, cyber criminals have once again boosted their fraudulent activities; hoping to scam unsuspecting individuals out of well-earned refunds and possibly even their own identities.

But despite the many complex tools scammers can use to gain access to sensitive account information, the sense of urgency around filing taxes creates a breeding ground for successful phishing attacks.

In 2019 alone, the United States Treasury stopped 3,529 fraudulent tax returns; preventing $15.8 million in refunds. Additionally, over the course of a single tax season, 3,741 identities of U.S. citizens were compromised and potentially sold. While these numbers were not solely generated by phishing attacks, the Federal Trade Commission has confirmed that phishing emails and phone calls rank highly amongst the leading causes.

What is a Phishing Scam?

Fortunately, there are simple, yet effective, procedures individuals can follow to greatly mitigate the risk of these attacks. But before exploring these security initiatives, let’s begin by elaborating on what the term “phishing” entails and how it can play into tax theft.

In its most common form, phishing scams are confidence scams, typically sent via email, where attackers pose as a reputable person or organization in hopes of stealing information. But whereas some phishing tactics remain static and can be used year-round, those implemented during the busy financial months are continuously altered to reflect different steps in the tax filing process.

Early Tax Season Phishing

Take, for example, those phishing scams commonly launched early in the tax season. Before W-2 forms are sent to employees, they typically pass through the office of a senior financial staff member. Noting all this sensitive information in one prime location, cyber criminals see an opportunity to target these executives: in hopes of acquiring the identities of an organization’s entire team. While, there are a few tactics criminals use to accomplish this, the most notable comes in the form of email spoofing. By making it appear as though a message is coming directly from a CEO’s email address, the prospective scammer can politely and directly ask for access to employee files, such as their W-2s.

But what if employees have already received the forms necessary to begin the tax filing process? In that case, scammers can take a different approach; forgoing the spoofing of c-suite executives in lieu of impersonating large payroll companies. For organizations that use the HR management software developed by ADP, this became a wide-scale problem throughout the early months of 2020. Around the same time individuals were supposed to begin receiving their W-2 forms, groups of cyber criminals began flooding inboxes with seemingly authentic notifications from ADP; alerting employees that digital copies of their forms were ready.

Unbeknownst to many individuals, the link provided within these emails was fraudulent; leading them to a fake login page when clicked. For users that were unlucky enough to enter their credentials on this page, criminals captured this information in hopes of gaining access to each individual’s legitimate account. By doing so, scammers could potentially leverage this information to access a user’s birth date, physical address, social security number, pay stubs, bank routing numbers, and more. And while this ADP phishing attempt only impacted a small portion of the U.S. workforce, similar scams occur on a regular basis.

Late Tax Season Phishing

Although the launch of a new financial season amplifies the risks associated with phishing attacks, individuals should continue to remain on guard throughout the remainder of the year. In particular, scammers continue to prey on those that end up owing the IRS additional payments after the filing process is complete.

Most commonly, these criminals attempt to impersonate IRS or local police officials; reaching out to law abiding citizens to demand immediate payment through third-party services. Most recently, the IRS has noted that some criminal groups have begun to pose as a taxpayer advocate service, calling individuals and directing them to a fake IRS site where they are asked to pay bills that do not exist in the IRS’s database. Like the scenarios list above, these requests are only further supported by fraudulent email address spoofing and websites that appear to be legitimate.

How to Protect Against Tax Phishing Scams

While the aforementioned phishing scams may seem rather daunting upon first glance, effectively combating these attacks during peak financial seasons is a rather simple task. That said, it isn’t effortless, and it will require security measures to be initiated on both personal and organizational level. Keeping that in mind, here are five ways individuals can protect against phishing schemes.

  1. Implement security training: Some organizations undergo regular security awareness training to understand current phishing threats  and how to spot them. In particular, these training sessions go over new email spoofing techniques, how to detect fake URL links, and grammatical errors to look for when reviewing an email’s content.
  2. Conduct regular phishing testing: Take what is learned in the security training step and practice its ability to halt phishing attempts. By deploying a phishing testing and training platform, such as the one found here, organizations can send fake emails to see where vulnerabilities lie within the company. That said, extra emphasis should be placed on those in financial positions during this testing phase, ensuring they have the ability to fully realize when they’re being phished.
  3. Create company-wide policies: Define and enforce standard email practices across the organization. In particular, if an email asks for sensitive financial information, it’s often suggested that you call the sender to confirm their request. Even then, it’s highly suggested that all financial payments be conducted using a physical paper-trail, rather than the exchange of electronic money wiring.
  4. Flag phishing emails: For those with Rocket IT’s security measures in place, let the organization’s IT department know about any phishing emails that hit your inbox. By forwarding these emails to a knowledgeable expert, individuals can greatly reduce the likelihood that these emails will reach their colleagues.
  5. Be aware of the IRS’s standard practices: In an effort to help citizens realize when they’re being scammed, the IRS has ensured taxpayers that it will never conduct the following actions.
  • Ask for immediate payment through the use of prepaid debit cards or wire transfers.
  • Request that payments be made through a third-party service.
  • Threaten individuals with immediate law enforcement.
  • Leave pre-recorded, urgent or threatening phone messages
  • Automatically waive an individual’s right to appeal the amount owed.
  • Ask for financial information over the phone.

Again, it’s important to understand that protecting an individual’s information from phishing scams not only lies in their own personal security measures, but also on the security practices of the people around them. Therefore, while it’s difficult to completely stop a phishing attack from occurring within an organization, being aware of current phishing trends and the steps to pinpoint signs of suspicious communication can drastically reduce the likelihood of the criminals success.

For more information on the proactive measures businesses can implement to mitigate the risks associated with the tax season’s phishing attempts, give Rocket IT a call at 770-441-2520.

Related Posts

Subscribe to Rocket IT's Newsletter

Stay up to date on trending technology news and important updates.


Find out if Rocket IT is the right partner for your team

Claim a free consultation with a technology expert.

Fed up with IT support that falls short?

Claim a free 30-minute consultation and explore three key practices to evaluate the maturity of your help desk.