Every year, we warn the University community about tax phishing scams and tax-related identity theft scams.
There are a number of ways scammers try to steal personal information in order to create false identities or claim tax refunds illegally. Let’s break them down one by one to help you avoid becoming prey during tax scam season.
Phishing is a scam in which thieves send emails designed to trick victims into revealing personal and financial information that can be used to steal a victim’s identity or commit other criminal acts.
During tax season, scammers send phishing emails designed to trick taxpayers into thinking the messages are official correspondence from the IRS; other government entities; or bigwigs in a company, university, or other organization (W-2 scams).
The scams may demand your personal or banking information; seek information relating to refunds, filing status, or IRS PINs; or claim to let you order “IRS transcripts” or find out the status of your IRS refund. The emails often include links to fake websites that simulate official IRS websites. Any information surrendered at these fake sites may be used to file false tax returns. Sometimes, the malicious site can download malware onto your device to steal confidential information from files stored on that device or capture your keystrokes when you log in to a secure website.
The IRS does not initiate contact with a taxpayer through email, text message, or any other form of electronic communication. If you receive an email claiming to be from the IRS, report it to firstname.lastname@example.org and email@example.com.
“Vishing”, or voice phishing, uses social engineering to steal confidential and financial information from the victim. During tax season, scammers use vishing to attempt to defraud taxpayers and the IRS.
These fake callers claim to be government employees, usually IRS employees. The callers give fake names and fake IRS identification numbers, and they research their victims before placing their calls. Some of the more common scams include the following:
- In one type of scam, victims are told they owe money to the IRS and that they must pay immediately with a gift card or wire transfer.
- In one variation, the scammer may say he’s from a law enforcement agency (or the IRS) and threaten the victim with arrest, deportation, or the suspension of a business or driver’s license if the victim doesn’t pay immediately.
- In another kind of phone scam, the fake IRS employees don’t ask for payment, instead they claim the victim has a refund due and needs to supply them with banking or other confidential information.
The IRS does sometimes call taxpayers. How can you tell the difference between a real IRS phone call and a scammer’s vishing attempt to defraud you?
- Taxpayers will generally receive several letters (“notices”) from the IRS in USPS mail before any phone call is made.
- The IRS will never call to demand immediate payment using a specific method, such as a gift card or wire transfer. If a payment is required, the IRS will direct the taxpayer to submit a payment to the U.S. Treasury.
- The IRS will not demand that you pay taxes or penalties without giving you the opportunity to appeal the amount they say you owe. That’s your right as a taxpayer.
- The IRS will never threaten to involve local police, immigration officers, or other law-enforcement agencies to enforce a penalty without due process. The IRS cannot revoke your business license or driver’s license, nor can the IRS deport you.
If you’ve received a call from a fake IRS agent or any other phone scam, report it.
- If you’ve fallen victim to an IRS phone scam, contact the Treasury Inspector General for Tax Administration. Fill out the IRS Impersonation Scam Reporting form or call 800-366-4484.
- Report other phone scams to the Federal Trade Commission. Use the FTC Complaint Assistant on FTC.gov and add “IRS Telephone Scam” in the notes.
Defrauding the IRS by means of “Tax ID Theft”
The IRS is improving its ability to defend against this scam, but it still happens all too frequently.
For the past several years, scammers have stolen refunds from the IRS by filing fraudulent returns using SSNs before the SSN owners file their legitimate returns. Their scams use a combination of guesses and confidential taxpayer information acquired illegally. The criminals file returns early in tax season using victims’ SSNs, and, of course, those returns all claim a refund. In most cases, the victims don’t know their information has been used to defraud the IRS until the IRS rejects their legitimate returns.
This form of “Tax ID theft” is not necessarily the result of personal information being compromised in any one breach: scammers can find information from stealing mail, going through your garbage, phishing, credit card skimming, or even from large-scale corporate data breaches.
To keep yourself safe from tax ID theft, beat the scammers to the punch: file your returns as early as you can. In addition, shred sensitive documents, like bills, bank statements, and insurance forms to prevent identity theft.
If you believe you’ve been a victim of identity theft, including tax ID theft, the Federal Trade Commission (FTC) suggests filing an identity theft report with your local police department and also with the FTC. For additional information, read Intuit’s TurboTax identity theft help file.
- Official information from the IRS: Taxpayer Guide to Identity Theft (includes a link to IRS Form 14039, “IRS Identity Theft Affidavit”)
- Official information from the Delaware Division of Revenue: Identity Theft and Victim Assistance
W-2 Scams via spear phishing
Another scam takes advantage of tax season to trick employees into surrendering a file containing W-2 information about an organization’s employees. The scammer is trying to build his collection of names and SSNs for future fraud and identity theft attempts. (More information)
This scam is a specific form of spear phishing, scams in which the criminal has researched an organization and tailored his approach to target its employees, students, or clients. During tax season, spear phishers target HR and payroll departments in order to gain access to an organization’s W-2 data.
If you’ve received this type of phishing scam at your University or business email account, or if you’ve fallen victim to this scam, it is important that you report it promptly to the proper authorities.
- If you have surrendered a file of W-2 information to a scammer, email firstname.lastname@example.org to notify the IRS of a W-2 data loss. Type “W-2 Data Loss” in the subject line. Do not attach any personally identifiable employee information.
- Email the Federation of Tax Administrators at StateAlert@taxadmin.org to learn how to report victim information to the individual states.
- Businesses and payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center. Businesses and payroll service providers may also be asked to file a report with their local law enforcement.
- Notify affected employees so they may take steps to protect themselves from identity theft. The FTC’s www.identitytheft.gov provides general guidance.
- Forward the scam email to email@example.com.
- If you think you’ve forwarded University of Delaware W-2 data to a scammer, contact your supervisor immediately, and report the incident to the IT Support Center.
Never send a list of W-2 files to someone using an unencrypted communication channel (like email). Always confirm the validity of any request for confidential information, and transmit it using an encrypted communication channel using protocols defined by your department, unit, college, or UD’s HR and Payroll offices.
Tax scams can appear in your email, in phone calls, in text messages, or other communications. Stay up to date and educated about each type of threat. Remember,
- The IRS will never demand immediate payment using gift cards or wire transfers.
- The IRS will never threaten you over the phone with immediate arrest or penalty.
- The IRS will never threaten you with a penalty without advising you of your right to appeal.
- If you receive a suspicious communication this tax season, report it!
- As described above, you can report it to the FTC, IRS, FBI or local law enforcement.
- You can report suspicious email and vishing attempts received at the University of Delaware to firstname.lastname@example.org.