Over the last few months, we’ve looked at Federal Trade Commission scam warnings ranging from the pandemic and healthcare to natural disasters and paid tax return preparer EFINs. This week, the Internal Revenue Service published a pair of press releases containing tips for avoiding tax-related phishing scams:
- IRS Tax Tip 2021-30, focusing on signs of tax-related phishing emails and phone calls
- IR-2021-52, focusing on general data security recommendations
As part of the Security Summit—an educational outreach organization that also includes state tax agencies and private partners in the tax industry—the IRS routinely develops these alerts in an effort to equip taxpayers and tax professionals with the information they need thwart identity thieves’ “best efforts.”
So, let’s take a look at the latest data security tips from the IRS.
What are the signs of a tax-related phishing scam?
Whether in an email, text message, or phone call, identity thieves tend to rely on the same basic framework: Instill a sense of urgency through grooming, fear—including the fear of missing out, or “FOMO”—or intimidation, then request financial data, personally identifiable information, or direct payments.
The reason criminals rarely deviate from this formula is simple: It works. Luckily, knowing the signs of a phishing scam can inoculate you against that initial emotional hook. When it comes to email scams, scammers impersonating government agencies have a pretty obvious Achilles heel.
“The IRS does not initiate contact with taxpayers by email to request personal or financial information,” the agency explains. “Generally, the IRS first mails a paper bill to a person who owes taxes. In some special situations, the IRS will call or come to a home or business.”
That advice goes double for text messages and social media messages.
As for phone scams claiming they are trying to collect a tax payment, the IRS says neither they nor authorized private collection agencies will do any of the following:
- Leave pre-recorded, urgent, or threatening messages on an answering system.
- Threaten to immediately bring in local police or other law enforcement groups to arrest the taxpayer for not paying, deport them or revoke their licenses.
- Call to demand immediate payment with a prepaid debit card, gift card or wire transfer.
- Ask for checks to third parties.
- Demand payment without giving the taxpayer an opportunity to question or appeal the amount owed.
The IRS also warns that you can’t trust the number displayed on your phone, since “criminals can fake or spoof caller ID numbers to appear to be anywhere in the country”—including official government numbers.
What should I do if I receive a phishing scam?
If you’ve ever watched that TED Talk by James Veitch, it might be tempting to try to outwit or scold the criminals who have dared to try to steal your information and money. Don’t! You’re only going to risk revealing sensitive information to the scammer. Instead, the IRS says it’s much more effective to report the email or call to the authorities, then warn coworkers and clients about the latest security threat making the rounds.
Remember, do not open unfamiliar emails, text messages, or social media messages, and never click on attachments or embedded links. If you receive a tax-collection scam call, the IRS says taxpayers should use the following list:
- [Do] not give out any information. Hang up immediately.
- Contact the Treasury Inspector General for Tax Administration to report the IRS impersonation scam call.
- Report the caller ID and callback number to the IRS by sending it to firstname.lastname@example.org. The subject line should include “IRS Phone Scam.”
- Report the call to the Federal Trade Commission.
Even if the tax-related scam call doesn’t specifically involve collecting tax payments, this is a good checklist that can prevent you and others from having their data stolen. And those who unfortunately fall victim to an identity theft scam should visit the FTC’s IdentityTheft.gov site for next steps in the mitigation process.
What are some basic security tips that can prevent identity theft?
The following IRS list—which we’re including in its entirety below—covers major data-security issues that every taxpayer and tax professional should be familiar with, especially if you’re performing even more work online:
- Protect personal information. Treat personal information like cash – don’t hand it out to just anyone. Social Security numbers, credit card numbers, bank and even utility account numbers can be used to help steal a person’s money or open new accounts.
- Safeguard personal data. Provide a Social Security number, for example, only when necessary. Only offer personal information or conduct financial transactions on sites that have been verified as reputable, encrypted websites.
- Use strong passwords. Use a password phrase or series of words that will be easy for you to remember. Use at least 10 characters; 12 is ideal for most home users. Mix letters, numbers and special characters. Try to be unpredictable – don’t use names, birthdates or common words. Don’t use the same password for many accounts and avoid sharing them. Keep passwords in a secure place or use password management tools.
- Set password and encryption protections for wireless networks. If a home or business Wi-Fi is unsecured, it allows any computer within range to access the wireless network and potentially steal information from connected devices. Whenever it is an option for a password-protected account, users should also opt for a multi-factor authentication process. Multi-factor authentication is critical to protecting your password.
- Avoid phishing scams. The easiest way for criminals to steal sensitive data is simply to ask for it. IRS urges people to learn to recognize phishing emails, calls or texts that pose as familiar organizations such as banks, credit card companies or even the IRS. Keep sensitive data safe and:
- Be aware that an unsolicited email with a request to download an attachment or click on a URL could appear to come from someone that you know like a friend, work colleague or tax professional if their email has been spoofed or compromised.
- Don’t assume internet advertisements, pop-up ads or emails are from reputable companies. If an ad or offer looks too good to be true, take a moment to check out the company behind it.
- Never download “security” software from a pop-up ad. A pervasive ploy is a pop-up ad that indicates it has detected a virus on the computer. The download most likely will install some type of malware. Reputable security software companies do not advertise in this manner.
Set security software to update automatically so it can be updated as threats emerge. Educate children and those with less online experience about the threats of opening suspicious web pages, emails or documents.
- Back up files. No system is completely secure. Copy important files, including federal and state tax returns, onto removable discs or back-up drives and cloud storage. Store discs, drives and any paper copies in secure, locked locations.
- ID Theft Central. Designed to improve online access to information on identity theft, it serves taxpayers, tax professionals and businesses.
If you’re providing remote services to clients, be sure to suggest some of these recommendations. If their device gets infected and they send you an important tax document, you run the risk of infecting your network.
Where can I find more information about identity theft?
Many government websites house important data security-related information that can help protect you and your clients from identity thieves. Check out these resources from the FTC, IRS, and IdentityTheft.gov:
- “Identity Theft,” FTC.gov
- “Identity Theft Central,” IRS.gov
- “Identity Theft Information for Tax Professionals,” IRS.gov
- “Identity Theft Recovery Steps,” IdentityTheft.gov
- “Security Summit,” IRS.gov
Want to read about the other types of phishing scams targeting taxpayers and tax professionals? Check out other GruntWorx blogs:
- The FTC Wants to Help You Avoid COVID Vaccine Scams
- Watch Out for Special Enrollment Phishing Scams!
- Scammers Targeting Victims of Snow Storms
- Identity Thieves Want Your EFIN!
- What Did the FTC Cover During Identity Theft Awareness Week?