Although the holiday shopping season may be the favorite time of year for hackers, cybercriminals also like to target and prey on unsuspecting U.S. citizens during tax season.
Whether it’s the looming April 18, 2023 deadline to file their taxes or excitement over the fact that they may be due a tax refund, taxpayers are often more susceptible to falling for scams around this time of the year.
Regardless of whether you’ve already filed your taxes with the best tax software or are crunching the numbers to meet the Internal Revenue Service’s deadline, these are five scams you need to be on the lookout for to keep both your personal data and your bank account safe.
However, the old adage “if it ain’t broke, don’t fix it” also applies here, as hackers and other cybercriminals continue to leverage the same schemes and tactics in their attacks year after year since they work so well. In fact, the IRS actually publishes an annual list of the top tax season scams called the Dirty Dozen and if you look through it, you’ll see that many of the same scams make the list.
Filing and paying your taxes is just a part of life that we all have to deal with, but by knowing the scams to look out for and following the tips at the end of this article, at least you won’t get hacked or scammed by cybercriminals this tax season.
1. IRS impersonation scams
Just like with Instagram, YouTube, Netflix and other popular brands, hackers love to impersonate the IRS in their scams. They often use threats of prosecution for breaking the law or a lower tax payment in an effort to deceive unsuspecting taxpayers.
According to a new blog post from Trustwave’s SpiderLabs, security researchers recently came across a phishing email that offered $16.5 million in approved funds if the recipient provides all of the required information — which includes their name, address, phone number, occupation and ID card.
Likewise, SpiderLabs also came across another IRS-themed phishing email that uses a share request to lure in victims. The email itself asks potential victims to review the attached HTML document and input sensitive information like their mother’s maiden name, Social Security number and date of birth which can be used to commit fraud or even worse, identity theft.
As a general rule of thumb, the IRS isn’t going to ask you for this kind of information, as they already have it. Also, the government agency will likely never contact you by email or over the phone as it prefers to do things the old fashioned way — through the mail. Sometimes, you might get a call from the tax agency, but this is extremely rare, and you would be expecting such a call from your previous correspondence with the IRS.
2. Malicious tax documents
Whether you’re dealing with your employer, an accountant, businesses you’ve invested in or a tax filing service, you’re likely going to have a lot of tax-related documents in your inbox come tax season. Hackers are well aware of this and often use it to their advantage.
SpiderLabs also recently observed a tax scam that involved phishing emails that contained a Microsoft Word file named “W2-2022.docx” that claimed to contain important tax details. However, if the recipient downloaded and opened the file, they were taken to a dangerous website that installs infostealer malware on their computer.
As the name suggests, infostealer malware is designed to gather up sensitive data stored on your computer or in your browser, extract it and send all of it back to hackers. Besides extortion or fraud, this information can also be used to steal your identity.
3. Fake tax forms
Besides tax documents, fake tax forms are also used to harvest sensitive data in phishing attacks.
In this particular example, hackers sent out form W-8BEN — which is typically used to establish foreign status for tax purposes — to a victim by mail or through a fax. The message accompanying the form claims that the victim is exempt from paying taxes but they need to authenticate their information by filling out the included form before faxing the completed form back to a fake IRS number controlled by the hackers.
Fortunately in this case, you can use a reverse fax number lookup tool to see if the fax number actually belongs to the IRS.
4. Tax refund scams
Since many people often get tax refunds from the IRS, hackers use them as a lure in their scams, too.
For instance, SpiderLabs uncovered a Facebook-themed phishing scam that says the recipient is under investigation for tax evasion. This scam arrives as an email that contains a URL the victim is prompted to click on. However, as the URL uses the “m.me” domain which is owned by Facebook’s parent company Meta, potential victims may be more inclined to click on it.
This link takes them to Facebook Messenger pages or conversations where they are then asked to provide personal information to the scammers.
5. Social Security Number scams
Social Security numbers are like the holy grail for hackers and scammers as they can be used to steal identities as well as to commit fraud. To pull off these types of scams, hackers often impersonate the Social Security Administration.
These scams often arrive as emails claiming that a person’s SSN has been terminated due to illegal activity. Many times, the emails include a phone number for a fake customer support line that they can call to resolve the issue. If they call though, the scammers then trick them into giving up personal information like their SSN or bank account details.
Even though this isn’t technically a tax scam — you'll run into it year round — this scam is often carried out by cybercriminals during tax season.
How to protect yourself during tax season
Another way that scammers try to fleece taxpayers out of their hard earned money is by claiming a tax return in their name. With a SSN and other personal information, this is easy enough to do.
For this reason, it’s a good idea to file early, as many victims of identity theft don’t realize it has happened to them until they receive a notification from the IRS saying their tax claim has already been filed.
At the same time, getting a six-digit Identity Protection PIN (IP PIN) from the IRS can help prevent this from happening to you. Once you get your IP PIN, the IRS will use it to verify your identity each time you file your taxes either electronically or by paper. These PIN numbers last for a full year and you can easily generate a new one when it expires. If you want to get your own IP PIN from the IRS, you can do so here. Keep in mind that the IRS will never ask for your IP PIN but you will need to include it when filing your tax returns.
If you’re worried about potentially falling for any of the tax scams detailed above, it’s also a good idea to invest in one of the best identity theft protection services. Besides helping you recover your identity and any lost funds as a result of identity theft, these services also include credit monitoring and send out alerts when suspicious transactions are made from your accounts.
In addition to identity theft protection, you'll also want to keep all of your devices protected from malware and the latest cyber threats. To do so, you can install the best antivirus software on your PC, the best Mac antivirus software on your Mac and one of the best Android antivirus apps on your Android smartphone. While there aren’t antivirus apps for iOS due to Apple’s own restrictions, Intego Mac Internet Security X9 and the Intego Mac Premium Bundle X9 are the only Mac antivirus software suites that can scan an iPhone or iPad for malware when it’s plugged into your computer via USB.
Tax season is stressful enough without having to deal with hackers and scammers. However, if you plan accordingly, check your inbox carefully and think before responding to the messages you receive while not letting your emotions get the best of you, you’ll be a lot less likely to fall for one of these tax scams.