The IRS Dirty Dozen 2016, #3: Phishing

Phishing is a type of fraud in which a scammer attempts to get their victim to divulge personal and financial information such as their social security number, birth date, bank or credit card account numbers and passwords. This is usually done via an email that appears to have been sent from a legitimate entity such as a governmental agency, bank or credit card company. The IRS has identified a 400% increase in phishing and malware this tax season, with 1,026 incidents in January 2016 as opposed to 254 in January of 2015. 

The “hook”

Most phishing emails generated during the tax season look like they come from tax software companies or the IRS. As we noted in our previous post on identity theft, hackers managed to break into the IRS computer systems recently, gaining access to roughly 101,000 E-file PINs.  Many phishing attempts similarly seek out those PINS. Scammers are also aiming for access to the PTIN System for professional tax preparers.

Another technique utilized by scammers is to design phony websites that look exactly like the real ones that they are modeled after. The victim, thinking that they are on a legitimate site, is tricked into inputting their username, password, personal and financial information. Phishing emails and websites may also be designed with malware that gives the scammer access to the victim’s computer, enabling them to access private files and track keyboard strokes.

Phishing techniques

There are so many types of phishing now that many techniques have been given names of their own. Here are just a few:

  • Spear phishing, the most common type of phishing today, is directed at specific individuals and companies.
  • Clone phishing involves email “spoofing”, or where a legitimate email is duplicated and re-sent from an email similar to that of the original sender (often disguised as a re-send or update); the new email often contains malware.
  • Phone phishing refers to a message that appears to be sent from a bank asking the recipient to call a phone number regarding a problem with his or her bank account – account numbers and PINS are collected. Phone phishing often utilizes caller ID spoofing.
  • Whaling is the term for attacks on senior executives and other high profile individuals in private companies, often disguised as an email concerning a company lawsuit or upper management issue.
  • Pharming is where hackers tamper with a company’s domain name system or host files, and then redirect users to a fake website.

Heed the warnings

Most email providers have issued warnings to their users on how to identify and report phishing emails and websites, and we encourage our clients to review these warnings frequently, as scammers tend to change their tactics. Here are a few:

The IRS warns taxpayers to report any emails claiming to be from the IRS, particularly those that request personal information or refer to taxes on a lottery, inheritance or large investment. Every year, taxpayers are instructed not to open any attachments, not to reply to the email, and not to click on any links. Just forward the email to and then delete the email.  We also recommend that private companies invest in system-wide email and database security systems and have staff on hand to monitor company online activity on an ongoing basis. 

Tax law firm in San Francisco

Many of the tax professionals at Moskowitz, LLP have, individually, more than 30 years’ experience handling all types of civil and criminal tax issues. If you or your company requires legal assistance, contact our office today for a consultation.