Boise State Cybersecurity Department
Tax Scams, Phishing and Identity Theft
Thousands of people have lost millions of dollars and their personal information to tax scams. Scammers use the regular mail, telephone, or email to set up individuals, businesses, payroll and tax professionals.
The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.
Scam emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. These phishing schemes may seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.
Be alert to bogus emails that appear to come from your tax professional, requesting information for an IRS form.
Variations can be seen via text messages. The IRS is aware of email phishing scams that include links to bogus web sites intended to mirror the official IRS web site. These emails contain the direction “you are to update your IRS e-file immediately.” These emails are not from the IRS.
The sites may ask for information used to file false tax returns or they may carry malware, which can infect computers and allow criminals to access your files or track your keystrokes to gain information.
There’s one thing all attackers have in common and that is the desire to steal your personal information. Online, criminals often use a “phishing” scam to acquire sensitive passwords, banking, and identity information. As we move into this tax season keep these tips in mind to make sure you stay safe and secure.
Identity theft can be extremely damaging to its victims. Even if you protect yourself online there are precautions you should take in real life to avoid anyone getting your information as well.
- Read your monthly statements carefully. Review bank, credit card, and pay statements, as well as other important personal accounts (e.g., health care, social security). If a statement has mistakes, charges you don’t recognize, or doesn’t arrive when expected, contact the business.
- Shred outdated documents. Make sure you shred any documents that show sensitive financial or medical information before you throw them away.
- Be careful when sharing personal info: Avoid texts or phone messages that ask for personal information such as your Social Security number, password, or account number. Legitimate companies don’t ask for information in this way.
- Keep personal information private. Limit what you share on social media. For instance, don’t share your vacation pictures publicly until you return home (so thieves don’t target your empty home).
What Is Phishing?
“Phishing” refers to an attack that uses email or a messaging service that tricks or fools you into taking an action, such as clicking on a link or opening an attachment. Attackers work hard to make their phishing emails convincing. For example, they will make their email look like it came from someone or something you know, such as a friend or a trusted company you frequently use. They will even add logos of your bank or forge the email address so the message appears more legitimate.
How to Recognize Phishy Emails
Having you sensitive information taken can be frightening. Fortunately, there are ways to identify false emails.
- Beware sketchy messages. Phishy messages may include a formal salutation, overly-friendly tone, grammatical errors, urgent requests, or gimmicks.
- Avoid opening links and attachments. Even if you know the sender, don’t click on links that could direct you to a bad website. And do not open attachments unless you are expecting a file from someone.
- Verify the source. Check the sender’s e-mail address to make sure it’s legitimate. Official organizations shouldn’t be sending emails from personal addresses such as @gmail.com, @yahoo.com, or @hotmail.com.
- If in doubt, just delete the message. Be conscious of the links you click on and don’t input passwords or other important information into websites you don’t know.
Information provided via SANS and US-CERT