COVID-19 tax-related scams top IRS' Dirty Dozen 2021 list
Fake tax promises, other phony ploys are part of the 2021 IRS Dirty Dozen

Scam attempts to obtain taxpayers' personal info remain part of IRS' Dirty Dozen

Identity theft phishing

The COVID-19 pandemic presented new opportunities for crooks, as noted in yesterday's post on the first group of 2021's Dirty Dozen Tax Scams.

Today, however, we're back with the golden oldies, as in trying to steal your gold. And your identity.

These Personal Information Cons use a variety of techniques that have been around for years. There's phishing, its cousin voice phishing or vishing, Internal Revenue Service impersonators, social media trolling and tricks, and ransomware.

Regardless of which illegal method is used, the goal is the same. Criminals try to get as much of your personal information as possible, including but not limited to Social Security numbers, bank account or credit card information, and passwords. They then take that data and steal not only any tax-related payments you're due, but your whole persona.

These scams use tax hooks promising faster or larger refunds, as well as schemes threaten penalties or worse from what the crooks say are unpaid taxes.

Here's a closer look at these personal information tax scams and how to avoid falling for them.

Phishing at all the possible personal info pools: The Internal Revenue Service continues to see surges of fake emails, text messages, websites, and social media attempts to steal personal information. Although these attacks tend to increase during tax season, the IRS says they remain a major cause of identity theft throughout the year.

Phishing scams tend to be mainly via email, but also are used in text messages and social media posts where crooks post as family or friends to engage their victims.

More often, though, phishing attempts try to convince targets that the message is from an official source, even the IRS. After years of practice, the schemes can be tricky and cleverly disguised to look legitimate.

So be careful. Watch out for emails and other scams posing as the IRS. Be particularly skeptical of unsolicited messages promising a big tax refund, missing stimulus payment, or even issuing a threat. And never open attachments or click on links in those emails or text messages.

Phishers also look to catch tax pros: Phishing scams are productive. That's why they're still around. But it takes time to go from one taxpayer target to another.

So crooks looking for a better return on their illegal efforts target tax professionals. If they can get into tax preparers' databases, they'll get a wealth of information on all their clients.

The IRS and its Security Summit partners in the states and tax industry have renewed their warning to tax professionals about phishing scams involving verification of Electronic Filing Identification Numbers (EFIN) and Centralized Authorization File (CAF) numbers. The agency has seen an increase in these kinds of scams, along with offers to buy and sell EFINs and CAFs.

Tax professionals have reported receiving scam e-mails from the fictitious "IRS Tax E-Filing" group. Don't open any of these e-mails' attachments; don't click any links. Rather, report the scam to the Treasury Inspector General for Tax Administration (TIGTA).

Fake "new client" phishing bait: Most tax and accounting offices look to expand their services. Crooks try to take advantage of this basic business goal by posing as potential tax clients.

The IRS offers the following email new client scam example: "I just moved here from Michigan. I have an urgent tax issue and I was hoping you could help. I hope you are taking on new clients."

The email from the fake potential client also includes two attachments. One is said to be an IRS notice. The other is the fake prospective client's prior-year tax return that's being questions by the IRS.

In another fake new client scam, an image of which is shown below, the masquerading phishers says he/she/they were recommended by their former tax preparer who is retiring.

Tax pro PTIN scam email_IRS example

As these two examples show, the new client scam is easy to tweak. So be on the lookout for variations and be wary of emails from unknown senders.

IRS impersonator phone calls and vishing: In additional to email outreach, crooks still use phones to try to gather personal financial information. One of the most prevalent forms of voice-related phishing, known as vishing, was the call from an IRS employee impersonator.

The good news from the IRS and the Federal Trade Commission (FTC) is that both agencies report a decline in these fake tax agent calls. The IRS has seen a 43 percent decrease in the number of reports of calls from callers claiming to be from the IRS, down to 20,500 in 2020 compared to 36,000 in 2019. The FTC saw a 67 percent decline from 7,694 reports in 2019 to 2,571 in 2020.

But the IRS says it now is seeing an increase in tax lien themed vishing scams. A quarter of these telephone phishing scams in 2020 were by crooks using fake tax lien information.

Remember, the IRS generally first contacts people by mail, not by phone, about unpaid taxes. When the IRS occasionally does call taxpayers, it will not demand immediate tax payment using an iTunes card, gift card, prepaid debit card, money order, or wire transfer.

If you receive any tax related call out of the blue, security experts recommend asking questions of the caller, but being careful not providing any personal information. If in doubt, hang up immediately. Then report the call to, you got it, TIGTA.

Social media's open scams book: The popularity of social media outlets has made them prime avenues to obtain information that can be used in identity theft. The easiest option for unscrupulous individuals is to lurk on accounts and discover personal information their victims reveal that can be used against them.

Sometimes, though, the cons get proactive, sending emails impersonating victims' family, friends, or co-workers to wheedle out a bit more data. So beware of that text message from Cousin Jane, whom you haven't talked to in ages, suddenly wanting to update her calendar with your birthday, including the year.

More often, though, phishing attempts try to convince targets that the message is from an official source, even the IRS. After years of practice, the schemes can be tricky and cleverly disguised to look legitimate.

The personal information you post also can be used by scammers who share, for example, a link to say your favorite charity you lauded on Facebook. But it's not the charity. It's a fake website or malware that gathers more data to steal your identity, tax and otherwise.

To prevent personal information you share on social media platforms from being collected and used against you, review your accounts' privacy settings and limit data that is publicly shared.

You also might want to also simply rethink how much you share online.

Ransomware on the rise: Already this year, multiple ransomware attacks have disrupted companies and consumer supply chains. With ransomware, the legitimate owners of data or programs are blocked by hackers who won't release access to it until they are paid.

These data hostage situations tend to be a problem for larger companies and industries, but the tactic is spreading. The U.S. Treasury Financial Crimes Enforcement Network (FINCEN) has noted that ransomware attacks continue to rise across various sectors, particularly across governmental entities as well as financial, educational and healthcare institutions.

Any company, including relatively small tax and accounting firms should take cyber security precautions. As evidenced by scammers' attempts to get into tax professionals' databases via phishing schemes, ransomware is another route to sensitive tax data.

Official earnings statements (like W-2, 1099 and other tax-related forms) and year-end statements (from our checking, savings, retirement and investments accounts) all contain our names, addresses, account numbers and, of course, our Social Security numbers.

Uncle Sam already requires, under the Financial Services Modernization Act of 1999 and administered by the Federal Trade Commission, that tax professionals have a written security plan in place to safeguard all their clients' tax data. Ways to prevent and/or deal with ransomware attacks should be part of that plan.

Two down, three to come: As noted at the beginning of this post, this is part 2 of this year's special rollout of its annual Dirty Dozen Tax Scams. Instead of delivering them all at once in list form, the IRS is doing so based on four categories of scams.

The scam quartet is listed below, with the published categories linked to the posts here on the ol' blog discussing them:

After the IRS completes its list, I'll wrap up things here with a consolidated look on Friday, July 2, of the 2021 Dirty Dozen Tax Scams and a review of ways to avoid falling for any and all of them.

You also might find these items of interest:






Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.