The 2019 IRS “Dirty Dozen” Tax Scams #1: The Dangers of Phishing

Every year, the IRS publishes a list of the most prevalent scams to watch out for during tax season. Phishing kicks off this year’s IRS Dirty Dozen.

“Phishing,” which makes the IRS “Dirty Dozen” list of tax scams every year, involves tricking people into revealing their passwords and other personal information through fake websites, emails, and social media sites. The people who perpetrate these schemes are very savvy, and the IRS warns taxpayers to beware of their increasingly sophisticated con games. Here are some new ones to look out for this tax season:

Using Your Own Bank Account

Since so many taxpayers are now wary of fake emails, scammers have developed a new trick – filing a false tax return in your name, having a tax refund sent to you (or deposited directly into your bank account), and then getting you to “refund” the money to them by falsely claiming to be from the IRS or a collection agency.

If you see an unexpected deposit from the IRS in your bank account, do the following:

  1. Contact your bank and have them return the money to the IRS.
  2. Call the IRS at 800-829-1040 (individual) or 800-829-4933 (business) and explain why you are returning the funds.

Tax Topic Number 161 – Returning an Erroneous Refund also provides instructions on what to do if you receive funds from the IRS that you weren’t expecting. Remember to return the money promptly in the precise manner indicated in these instructions, or you may be subject to interest charges!

Malware attacks on tax professionals and businesses

Businesses need to be especially vigilant with their emails. The IRS has received reports of sophisticated phishing schemes that target client information of tax professionals, payroll staff, and human resource personnel. These schemes, referred to as “business email compromise” (BEC) or “business email spoofing” (BES) scams, take many forms, such as:

  • A request to pay a phony invoice.
  • A request from someone claiming to be an employee to re-rout a direct deposit.
  • A request from someone posing as someone known to you (such as a company executive) for a wire transfer.
  • An email that when opened downloads malware onto your computer, enabling the hacker to extract sensitive taxpayer information from your client database (or even track keyboard strokes, exposing login information).
  • An “email account compromise”, whereby the hacker sends phishing emails from your email address to your contacts.
  • An email from someone claiming to be seeking your professional services, which contains or includes an attachment containing an embedded web address. You think that you are downloading a new client’s financial information, but instead the cybercriminal is collecting your passwords and other information.
  • The “ W-2 scam,” where a cybercriminal sends payroll staff an email impersonating an executive at the company, requesting a list of all of employee W-2 forms. The scammer then files fraudulent tax returns using your employee’s personal information and collects the refunds.

The IRS has established an Internet Crime Complaint Center (IC3), and an email address to report phishing scams: phishing@irs.gov.

Next on the 2019 IRS Dirty Dozen list is phone scams, the subject of our next blog in this series.