The IRS reported a surge in phishing scams during the 2018 tax season. Phishing schemes are designed by cyber criminals who attempt to lure unsuspecting victims into revealing their personal and financial information, usually through unsolicited emails. You can avoid becoming a victim of fraud if you know what to look for.
How Email Phishing Works
Phishing emails usually contain messages directing the recipient to a “spoof website”—a bogus version of a legitimate business' website. The messages often appear to be from an organization that the recipient is associated with financially, such as a bank or the Internal Revenue Service.
For example, you might be asked to click on a link to confirm your identity or update your information. But the sender’s goal is to steal your personal or financial information, including passwords, Social Security number and credit card data, and use it to commit fraud. Phishing emails may also contain attachments that embed malicious codes and can harm your computer.
How to Detect IRS-Related Phishing Emails
A tax-related phishing email often mentions "IRSgov,” instructing you to update your IRS online account right away. The most telling sign that it’s a scam is the missing dot between “IRS” and “gov" in the web address.
Other phishing emails can state that:
- You qualify for a refund, but you must click on a link and fill out a form to access it.
- Your credit card funds were fraudulently used by someone else, but you can recover some of the money by visiting the included website.
- You will get a large sum in lottery winnings, a tax refund or an inheritance if you provide your personal and financial information.
Remember, the IRS will never contact you via phone, email, fax or social media to request personal or financial data or demand immediate payment. If you’re unsure whether a mailed notice is genuinely from the IRS, call the agency to find out.
How to Handle Tax Phishing Scams
If you receive a suspicious email claiming to be from the IRS:
- Do not respond or click on any links or open any attachments.
- Forward the email in its original form to the IRS at email@example.com.
- Delete the email from your inbox and trash folder.
- Report suspicious phone calls, faxes, text messages and mailed letters to firstname.lastname@example.org.
- Report monetary losses to the Treasury Inspector General for Tax Administration (TIGTA) and the Federal Trade Commission websites.
How to Spot Other Phishing Attacks
Phishing scams are a threat to consumers in general, so keep an eye out for attacks unrelated to the IRS. Be suspicious of emails stating that you will lose something—such as your bank account or email account—if you don’t respond or click on the stated link immediately. Signs of phishing schemes that imitate well-known businesses can contain:
- Generic email salutations, such as "Dear valued customer," instead of your name.
- Poor grammar or spelling errors.
- Conflicting web addresses: Place your mouse over the link to see if the URL matches the typed web address in the message. If it doesn’t, it’s likely a scam. Avoid clicking the link.
- Web addresses that resemble those of prominent businesses, but are slightly different.
- For example, the URL of a spoof site mimicking PayPal.com may begin with "http" instead of "https."
- Or the web address may be something like "secure-paypal.com" instead of PayPal's actual URL.
- Report non-IRS phishing scheme to the FTC
Learn more about how to spot scams and where to report them here, https://www.irs.gov/uac/Report-Phishing.