The Internal Revenue Service has launched a tax-related phishing awareness campaign. The campaign is designed to inform taxpayers fo the twelve most common tax scams, known as the ‘Dirty Dozen”.
Each tax season, the IRS raises awareness of the most common phishing campaigns in an attempt to protect taxpayers, businesses, and tax professionals. Cybercriminals are particularly active in the period from January to April as they attempt to harvest tax information to commit identity theft and submit fraudulent tax returns. As many individuals are trying to submit their tax returns, cybercriminals have a considerable number of targets. Cybercriminals can make a substantial profit even if only a small proportion of their campaigns are successful.
Phishing attacks pose significant threats to consumers, industries, and tax professionals alike. Phishing campaigns can take many forms; hackers can target their victims over email, phone, SMS, social media platforms, or spoof websites.
The IRS launched the Dirty Dozen campaign on March 4, 2019. On each of the following 11 weekdays, the IRS highlights a different scam phishing scam being used by hackers in an attempt to fool individuals into disclosing tax information.
As public awareness of phishing scams increases, hackers have started to design more sophisticated scams to increase their chances of success. Hackers often spoof legitimate IRS emails in their campaigns. As with many phishing campaigns, the emails often require ‘urgent action’ on the part of the recipient; the email may threaten fines or legal action or be offering refunds for overpayment of tax. Unsuspecting users may follow the instructions in the email and may unwittingly hand over their sensitive information to the hacker.
The IRS issued a warning in February regarding the detection of a new sophisticated tax phishing scam. Hackers were targeting tax professionals to obtain information on their clients. The hackers used this stolen information to file fraudulent tax returns, and the IRS issued tax refunds to taxpayers’ accounts via direct deposits. The scammers then contacted the taxpayers, pretending to be a debt collection agency acting on behalf of the IRS to reclaim payments, stating that they had been made in error.
The IRS urges payroll offices and human resources departments to be vigilant of tax-related phishing scams that attempt to obtain form W-2 information. In these scams, hackers send emails to payroll/HR staff requesting W-2 form information for all employees that have worked in the past financial year. The hackers send the emails either from a compromised email account within the organisation (business email compromise (BEC) attacks) or a spoof account of a high-level executive (business email spoofing (BES) attacks).
The IRS stated that they generally do not initiate any contact with taxpayers via email and that they never request financial information over email. They urge anyone receiving a tax-related phishing scam email that spoofs the IRS to forward the message to firstname.lastname@example.org.
“Taxpayers should be on constant guard for these phishing schemes, which can be tricky and cleverly disguised to look like it’s the IRS,” explained IRS Commissioner Chuck Rettig. “Watch out for emails and other scams posing as the IRS, promising a big refund or personally threatening people. Don’t open attachments and click on links in emails. Don’t fall victim to phishing or other common scams.”