Like death and taxes, email scams like phishing are here to stay–especially during tax season. During the dark days leading up to April 15th, people are stressed out. They procrastinate so they make mistakes and let their guard down. And NO ONE wants to get on the wrong side of the IRS, so when a seemingly simple request comes from “IRS.gov,” people panic and comply without thinking. Then suddenly, the refund they’ve been waiting on never arrives. Or it arrives in the hands of a hacker instead.
These phishing expeditions happen year-round so always be wary of emails that contain the following red flags:
- Spelling errors or unusual sentence structure (as if written by a non-native English speaker)
- A return email address that doesn’t match the sender’s name.
- An unnecessary sense of urgency.
- Suspicious-looking links. Hover over a link to see its true destination.
- Attachments. Never open an attachment from someone you don’t know.
During tax season, be especially vigilant and recognize phishing language like this:
- Your refund is ready! Please confirm direct deposit information – Requests for banking information should be a giveaway that you are not dealing with the IRS.
- W-4 out of date. Please complete new form – Your W-4 form has a lot of personal information on it so should never be emailed. If the IRS really needs a new form, they will contact you by mail. Also, remember that a hacker may have some pieces of the pie already; just because the “IRS” confirms your mother’s maiden name and your address, don’t offer up your SSN or other personally identifiable information
- Your payment is past due. Fees and interest will accrue unless you remit payment now! – The fastest way to get people to give in, act quickly, and make poor choices is to threaten them. The IRS will never seek payment by email; disregard threats like these.
- Click here for more information about your return/refund – Sometimes all a hacker needs is to get you out of your email provider and onto their own site. Don’t give them the chance by navigating to where they want you to go.
The Golden Rule to avoid a potentially devastating invasion of privacy or outright theft is this: If the IRS needs to contact you, they will do so through the mail. If you receive a phone call that seems legitimate, ask the caller for a name, a phone number they can return your call, and a reference number. An IRS representative should be happy to provide that information and wait for you to return their call (through the IRS switchboard at 800-829-1040).
If you do make a mistake and accidentally click a link or provide information you probably should not have, take immediate steps to protect yourself.
- Call your bank and advise their fraud office that your account may be at risk.
- Make sure your security software is up to date and is filtering out malicious content and thwarting attacks.
- Update your passwords (with good ones this time, and not all the same from site to site!).
- If you have access to a security officer (at work, for example) forward any suspicious messages to their email address and mark it “SUSPICIOUS. DO NOT CLICK LINKS OR OPEN ATTACHMENTS.” They will investigate further and be able to warn others to be on their toes.
Be safe, be smart, and be on the lookout for that refund check! You earned it.