IRS Warns Taxpayers about the Latest Phishing Schemes by Joseph L. Saka, CPA/PFS
Posted on March 19, 2019 by Joseph Saka
According to the IRS, the 2019 tax-return filing season has been plagued by a surge in fake emails, text messages, websites and social media posting in which criminals attempt to steal taxpayers’ personal information. To protect themselves and avoid becoming victimized, taxpayers must take some basic security steps, remain cautious and stay alert to recognize the warnings signs of these pervasive schemes.
Among the various methods that criminals use to prey on victims and get them to divulge their personal information are elaborate phishing attempts that begin with legitimate-looking emails purporting to come from the IRS a collection agency or another government agency with links to fake but convincing website landing pages and/or shortened URLs to social media postings.
In one scheme, thieves use taxpayers’ own bank accounts. After stealing a taxpayer’s social security number or other personal data, criminals file fraudulent tax returns and use the taxpayer’s bank account to direct deposit tax refunds. The thieves then pose as the IRS or other agency to reclaim the refund from the taxpayer.
One of the more advanced phishing schemes targets payroll professionals, human resource personnel, schools and other organizations that are trusted with taxpayers’ personal or financial information. Depending on the variation of these business email compromise scams (BECs) or business email spoofing (BES) scams, victims will typically receive a legitimate-looking email from a criminal posing as:
- a business asking the recipient to pay a fake invoice,
- as an employee seeking to re-route a direct deposit, or
- as someone the taxpayer trusts or recognizes, such as an executive within the company, who asks for a wire transfer.
Criminals may then use the email credentials from a successful phishing attack, known as an email account compromise, to send phishing emails to the victim’s email contacts. Malicious emails and websites can infect a taxpayer’s computer with malware without the user knowing it. The malware downloads in the background, giving the criminal access to the device, enabling them to access any sensitive files or even track keyboard strokes, exposing login victim’s information.
The IRS’s Security Summit partners encourage taxpayers and the keepers of their personal information to be wary of communicating solely by email, especially when they involve requests that are out-of-the-ordinary or when they involve personally identifiable information. Always pick up the phone and call the employee, executive or client to confirm their identity and veracity of the email request. In addition, remember that the IRS will never initiate contact with taxpayers or request personal financial or information via email, text message or social media.
If you receive an unsolicited email or social media attempt that appears to be from either the IRS or an organization closely linked to the IRS, such as the Electronic Federal Tax Payment System (EFTPS), report it to the IRS by forwarding the message to firstname.lastname@example.org.
About the author: Joseph L. Saka, CPA/PFS, is CEO of Berkowitz Pollack Brant, where he provides a full range of income and estate planning, tax and business consulting and compliance services, and financial planning expertise to entrepreneurs, high-net-worth families and family companies and business executives in the U.S. and abroad. He can be reached at the CPA firm’s Miami office at (305) 379-7000 or via e-mail at email@example.com.