Cofense - Security Awareness Training & Email Threat Detection

Top Tips from the IRS for Avoiding Tax-Related Phishing Scams in 2018

Share This Article

At the beginning of each calendar year, information security professionals revive the discourse surrounding tax-time phishing scams. Researchers and intelligence analysts here at Cofense™ are no exception.

Each year, criminals attempt to capitalize on the tax filing season in the United States by sending phishing emails that either target tax information or use tax-related narratives. This has not gone without notice. In the 2017 tax filing season, the IRS put many counter-measures in place which made it difficult for criminals to do a direct “IRS Phish” against a particular tax account holder. Yet criminals are ingenious at finding new ways to steal your money!

Here are the three biggest trends being reported by the IRS as the criminals refocus their attacks. In each example, we’ve provided a link to the associated IRS Advisory.

There are three primary trends that the IRS is seeing that are leading to tax scams:

#1. – (IR-2018-2) Security Summit Partners Warn Tax Pros of Heightened Fraud Activity as Filing Season Approaches

The primary trick here is phishing emails sent to tax practitioners that result in malware if the attached document is opened. Here are some example email approaches the IRS has seen:

  • “Happy new year to you and yours. I want you to help us file our tax return this year as our previous CPA/account passed away in October. How much will this cost us?…hope to hear from you soon.”
  • “Please kindly look into this issue, A friend of mine introduced you to me, regarding the job you did for him on his 2017 tax. I tried to reach you by phone earlier today but it was not connecting, attach is my information needed for my tax to be filed if you need any more Details please feel free to contact me as soon as possible and also send me your direct Tel-number to rich (sic) you on.”
  • “I got your details from the directory. I would like you to help me process my tax. Please get back to me asap so I can forward my details.”

After the malware is successfully planted, the criminals gain remote control capability to the tax preparers’ computers and/or network and try to abscond with private data associated with each and every one of that preparer’s clients. This can create a massive payday for the criminals, since the tax preparer will also possess the Electronic Filing Identity Number (EFIN) for those clients!

#2 – (IR-2017-64) IRS, States, and Tax Industry Warn of “Last Minute” Email Scams

In this scam, an “urgent” email is sent to the tax preparer advising them that their client has provided inaccurate financial information and urging them to change the account number to which refunds will be provided. It is very likely, however, that this is the second stage of a two-victim phishing attack. In the first phase, the taxpayer has fallen for a more generic email login phish, such as those that imitate Gmail, Outlook, DocuSign, and Dropbox. These attacks request that the phishing victim provide their email userid and password. Very quickly thereafter, the criminal logs in to the victim’s email account. If there is evidence in the inbox and Sent items of an exchange with a tax-provider, the criminal follows up on that communication, often replying to a previous correspondence, by asking for the update to the account information. By citing the original email, the tax preparer is quite likely to believe this is a continued conversation with their existing client.

#3. – (IR-2017-171) Fake Insurance Tax Form Scam Aims at Stealing Data from Tax Pros, Clients

While the first two attack types have as their target harvesting thousands of sets of tax documents and EFINs from tax preparers, this third attack type has the target of gaining information about high-balance accounts that may have been listed as assets on tax paperwork.

An email, often with subject lines such as “urgent information” claims to be from the IRS and requires additional information about life insurance policies or annuities. Here’s example language from the IRS advisory:

Dear Life Insurance Policy Owner,
Kindly fill the form attached for your Life insurance or Annuity contract details and fax back to us for processing in order to avoid multiple (sic) tax bill (sic).

The attached form provides enough information for the cybercriminal to either obtain a loan against the annuity, or cash out the life Insurance policy.

The IRS actually provided a whole series of advice for tax preparers to help them avoid being a victim of a data breach. Here’s the complete list for those who are interested!

Step 1: Avoid Spear Phishing Emails

Step 2: Be Alert to Account Takeover Tactics

Step 3: Security Summit Safeguards Help Protect Individuals; Renew Focus on Curbing Data Breaches and Business Identity Theft

Step 4: Defend against Ransomware

Step 5: Prevent Remote Access Takeover Attacks

Step 6: Watch Out for the W-2 Email Scam

Step 7: Protect e-Services Accounts, EFINs (Electronic Filing Identification Numbers)

Step 8: How to Start Protecting Clients, Businesses from Cybersecurity Threats

Step 9: Make Data Security an Everyday Priority; Key Steps Can Help

Step 10: Steps for Tax Pros with Data Incidents; Tips to Help Protect Clients, Taxpayers


Never miss another threat! Sign up for Cofense Threat Alerts, delivered straight to your inbox at no charge.


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.