Products and Solutions

Fraudsters Bring Fresh Bait to Tax Phishing This Year

Feb 27, 2019 | by Heidi Bleau |

Brace yourself: Tax season has begun, and so have fraudsters' efforts to go phishing for taxpayer information and data. At the end of 2018, the IRS cautioned people to be on high alert following what it called "a surge of new, sophisticated email phishing scams." This tracks with RSA findings showing phishing attacks increased 12 percent in 2018 and accounted for 46 percent of all fraud attack types. Here's what you need to know about how phishing scams have evolved and grown, the role these scams play at tax time and the damage they can do.

2019 Tax Season Phishing Scams: From Tried-and-True to Brand-New

By now, you're probably familiar with the typical tax-season phishing attack that involves a fake email that looks like it's from the IRS. The email invites you to click through to update your account information or take other action; once you do, the fraudsters who sent it can use the information you provide to steal your identity. That's been around long enough that a recipient may not be likely to fall for it. This year, though, expect a twist in which fraudsters are sending emails that appear to be from a professional association that wants information to renew your membership or update your credentials. The fraudster is counting on the method being just different enough that people don't suspect fraud.

In business environments specifically, the IRS is also warning employers to be on guard again this year for W-2 phishing emails. These scam emails appear to be from an executive asking the recipient—often someone in payroll or finance—to provide employees' W-2 information. The scale of this scam makes it particularly dangerous, since it doesn't target just one person's information, but puts the personal financial data of an entire group of employees at risk.

Then there's an entirely different approach to income tax phishing that the RSA Anti-Fraud Command Center reported on recently. In this scheme, the phishing email comes from a banking entity's "income tax department" and asks for information that includes the recipient's mobile number. The fraudster then uses the mobile number to send a text message that installs mobile malware. The malware is designed to intercept one-time passcodes (OTPs) that banks typically use in step-up authentication, enabling the fraudsters to bypass bank security and raid bank accounts.

Finally, keep in mind that phishing in general is increasingly leveraging variations like smishing (phishing by SMS text) and vishing (phishing by VoIP). Here again, the point is to move away from more-familiar forms of fraud to something a victim may not be expecting. Tax-season fraudsters may try smishing to catch some taxpayers off-guard, since people are more likely to be suspicious of emails than texts. And vishing may give new life to old-fashioned phone-call scams, especially in corporate settings. A VoIP server can be manipulated to make it appear a call is coming from not just any random number, but from the company's accountant, bank, or even the IRS.

The Fallout: Your Data for Sale on the Web (and not just the Dark Web)

Let's say you do get swept up in a tax-season phishing expedition. What happens if fraudsters get their hands on your personal data? They may use it to file a tax return in your name and get a refund that you'll never see. (Last year, the IRS had identified 9,557 fraudulently filed tax returns by late February.) Or they may sell it to another fraudster. Either way, your Social Security Number, banking information and other data are likely to end up being traded in today's increasingly busy online marketplace for fraud. And that marketplace won't necessarily be hidden in some dark corner of the internet; it's just as likely to be on mainstream platforms like WhatsApp or ICQ.

Here are just a couple of the numerous examples of personal data being traded on ICQ:

Fraudster looking for someone to perform tax refund fraud

In this case, a fraudster with access to a trove of personal data that can be used to file fraudulent tax refunds seeks someone to help cash out the funds.

Fraudster offering to perform tax refund fraud

This fraudster is offering to sell full packages ("FULLZ") of individuals' personal data, including tax refund info, Social Security number and date of birth.

What's a Taxpayer to Do? Keep Vigilant

Fraudsters count on the element of surprise for their scams to succeed. As long as someone isn't expecting an email, text or phone communication to be fraudulent, there's a good chance they'll open, reply or answer it—and get taken in by the scam. The most important first step to avoid falling victim to a scam this tax season is to always be aware of the possibility of fraud. Before opening any email that seems to be from a legitimate source, question whether it really is. If there's even a slight possibility it's not, don't click through. Contact the sender in a separate email, text or call, and confirm the communication really came from them. It may seem like a pain, but it's better than being taken in—and it's essential at this time of year.

If you receive a scam communication at work, don't just ignore it; alert someone in your IT or security department immediately. If it's a scam email that's supposedly from the IRS, you should also alert authorities by copying the headers in a new email with "W2 Scam" in the subject line and send it to

They say nothing is certain in life but death and taxes. These days, you can amend that to death and taxes and tax scams. As long as the scams pay off, fraudsters will keep using them—and changing them up to keep you on your toes. Don't let them get the better of you this year.

# # #

Phishing is on the rise, and not just at tax time. Find the newest data and information about the increasing incidence of phishing fraud in the latest edition of the RSA Quarterly Fraud Report.