In the second installment of this year’s IRS “Dirty Dozen” list, which highlights common tax-related scams, the IRS cautioned taxpayers to be on the lookout for deceptive schemes in the form of emails, text or social media messages, and phone calls (IR-2021-137).
In what has become an annual ritual, the Service each year highlights 12 of what it calls “the worst of the worst tax scams.” This year’s Dirty Dozen list is being released in four installments over four days.
Monday’s installment raised awareness of scams related to the COVID-19 pandemic, while Tuesday’s focuses on what the Service calls “personal information cons,” specifically:
The IRS warned individuals to be vigilant for sham emails or websites looking to steal victims’ personal data and potentially infect their devices by convincing them to download malicious programs.
“These phishing schemes can be tricky and cleverly disguised to look like they’re from the IRS or from others in the tax community,” the IRS said in its news release.
The Service noted that some phishing scams target tax professionals, such as by seeking to trick practitioners to click on innocent-looking attachments in emails purportedly from a new client. Another ploy mimics verification of electronic filing identification numbers (EFIN) and Centralized Authorization File (CAF) numbers, the IRS said.
The IRS said that “vishing,” or voice-related phishing, is on the rise, particularly scams related to federal tax liens. Individuals should be wary of unexpected phone calls asking for personal financial information.
Fortunately, there has been a decline in the number of reports of telephone con artists claiming to be from the IRS, the Service said. Nonetheless, taxpayers are urged to remember, among other things, that:
- The IRS will never request personal or financial information by email, text, or social media.
- The IRS generally first contacts people by mail, not by phone, about unpaid taxes.
Social media scams
Taxpayers also should be aware of tax scams that rely on social media, the IRS said. Some con artists send emails impersonating the victim’s family, friends, or co-workers, relying on information extracted from an individual’s social media accounts.
One way to protect against these schemes is to review privacy settings and limit data that is publicly shared, the Service said.
Financial institutions need to be especially aware of trends involving ransomware, the IRS noted. Ransomware is a form of malicious software (malware) used to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data.
Unfortunately, ransomware criminals are becoming increasingly sophisticated. “Many cybercriminals are sharing resources to enhance the effectiveness of ransomware attacks, such as ransomware exploit-kits that come with ready-made malicious codes and tools,” the Service noted. “Some ransomware groups are also forming partnerships to share advice, code, trends, techniques, and illegally obtained information over shared platforms.”
Bad actors seeking to mount ransomware attacks on an organization often resort to “wide-scale phishing and targeted spear-phishing campaigns that induce victims to download a malicious file or go to a malicious site,” the IRS pointed out.
Ransomware attacks continue to rise across various sectors, particularly governmental entities as well as financial, educational, and health care institutions, the Service noted.
The IRS urges all taxpayers to be on guard against these scams.
In the next installment of the Dirty Dozen list, the Service will highlight certain ruses focusing on unsuspecting victims, and the final installment will draw attention to schemes that entice taxpayers into taking “unscrupulous” actions.
See the Dirty Dozen page at IRS.gov.
— Dave Strausfeld, J.D., (David.Strausfeld@aicpa-cima.com) is a JofA senior editor.