Fraud is a year-round activity, but tax season brings an uptick in calculated schemes to steal money and personal information through spoofed messages and other means. Cybersecurity firms have also reported an increase in fraud attempts that exploit the conflict in Ukraine — a situation that has increased fears of potential cyberattacks on American companies through ransomware and other malicious software.
You can better protect yourself if you know what’s out there. Here’s a guide.
Avoid the tax scam
The Internal Revenue Service doesn’t make first contact with taxpayers by email, text messages or social media channels to request personal and financial information — including bank-account or credit-card numbers, passwords or PIN codes. Messages asking for that information are deceptive “phishing” attempts to steal money and identities.
If the IRS needs your attention, it starts with a notice by regular mail via the U.S. Postal Service in most cases.
The IRS will not send unexpected messages about auditing returns, sending stimulus payments, collecting your taxes or “canceling your Social Security number.” An IRS representative may call or visit when a taxpayer has an overdue bill or has other tax-related issues. But even then, written notification is typically sent first, according to the agency.
Scam telephone calls and voice messages using spoofed agency numbers and forged IRS agent identification are common. Again, the agency typically first sends a notice by mail. It does not call unexpectedly to discuss tax refunds, threaten arrest by local law enforcement or demand immediate payment in a specific form. Tax bills are paid to the U.S. Treasury and not directly to “agents” requiring funds in iTunes or Amazon gift cards, prepaid debit cards, electronic cash or wire transfer.
The Tax Scams/Consumer Alerts page on the official irs.gov site has a lengthy list of current and classic scams. And the site has a guide for verifying real IRS agents and identifying legitimate debt collectors.
Opportunistic scammers are quick to take advantage of natural disasters and humanitarian crises, including the COVID-19 pandemic and the war in Ukraine. Be leery of messages from unfamiliar organizations requesting donations by credit card or cryptocurrency — or purporting to be from refugees or members of the military. Crowdfunding campaigns should be avoided or heavily scrutinized unless you know the organizer.
And when you do find a preferred charity’s site, check the URL carefully. Scammers use “typosquatting” (registering a purposely misspelled domain name close to a legitimate site’s address) in the hope that bad typists will inadvertently land on their malicious pages.
Report a scam attempt
If you get unsolicited email pretending to be from the IRS, you can report it by forwarding the message to email@example.com. The Treasury Inspector General for Tax Administration has a hotline to report tax-related fraud attempts at 800-366-4484; the department has a portal page for complaints.
You can make a general fraud report on the Federal Trade Commission’s site at ftc.gov.
Gmail and Outlook.com include menus to report phishing attempts, while Yahoo has a form to fill out.
Be warned, though: If you get taken in by a scam involving a Zelle money transfer, your bank may not back you up if you authorized the transaction.
As the Federal Trade Commission notes, the common signs of a scam usually include someone who impersonates a familiar organization and tells you there’s a problem (or, sometimes, a prize). The scammer pressures you to act immediately and demands payment in a specific way.
Most fraud attempts are easy to spot. Typo-laden messages, impersonal “official correspondence” from Gmail and Yahoo accounts, and voicemail messages left in robotic computer speech are instant red flags. Fake invoices and forged PayPal notices remain popular phishing lures.
You can avoid many phishing lures by fine-tuning your mail program’s junk filters and blocking unwanted calls and text senders. Let unknown callers go to voicemail.
Make sure your browser is set to block pop-up messages and warn about malicious sites. Don’t install apps from unknown developers, and keep anti-virus software enabled on your computer.
If spam gets through, don’t call the number and don’t open the attachment — it’s likely to be malware. If you have concerns about an account, open your browser and go to the company’s website, avoiding links in messages.
The Consumer Financial Protection Bureau’s site at consumerfinance.gov has a detailed page (look under the Consumer Education tab) on frauds and scams currently going around. And even if you’ve been practicing safe computing for years, you probably have a friend or relative who isn’t as tech savvy — and could use your help.