Criminals often use the April 15th tax filing deadline in the United States for social engineering schemes to make victims share their credentials, money, and personal information. Besides deploying ransomware, spyware, and banking Trojan Horse programs, they sometimes even make fake Internal Revenue Service phone calls to defraud taxpayers. 12,000 victims suffered US$63 million in losses due to such calls just in 2018.
This type of scam typically begins with the victim receiving an email message that seems to come from the IRS. These messages may contain malicious attachments that seem like legitimate files or redirect the unwary to fraudulent websites. Either way, the recipient will end up losing sensitive data, money, or both.
These threats became so prevalent that, in 2004, the IRS came up with a list of the “Dirty Dozen.” Now compiled annually, the Dirty Dozen list details the most common scams to help protect taxpayers.
Phishing topped the list of scams. This type of fraud involves sending email messages that seem to come from the IRS and typically promise sizeable tax refunds or threaten legal action. Variations on these schemes may involve hijacking a victim’s personal bank account or filing fraudulent tax returns and then asking the victim to refund the money by posing as a collection agency or the IRS itself. Other phishing schemes target an employee’s W-2 form or related financial records.
The following examples of fraudulent IRS tax email messages look just like real IRS notifications, but the links redirect victims to phishing websites that harvest sensitive personal information.
Criminals run this scam by seeking out personal information about their targets from data breaches. Once they have information like email addresses and passwords, they use specialized software to send out thousands of messages to potential victims. The sender claims that he “knows” how to get into a victim’s online accounts, and may even claim access to the victim’s computer, personal files, webcams, or web browsing history. The scarier the threat, the better. Some will even claim to have videos of the victim looking at adult websites and threaten to share it with all the victim’s contacts unless the scammer receives a ransom paid in Bitcoin.
Just one “sextortion” campaign that ran from July 2018 to February of 2019 netted the criminals $332,000!
Check out a typical email used in these scams here:
What You Can Do
• Never open links or attachments that come from unexpected or suspicious senders, especially if they claim to come from government officials or their agents.
• Immediately report any unsolicited email message containing files supposedly from the IRS or involving the Electronic Federal Tax Payment System (EFTPS) to firstname.lastname@example.org
• Don’t panic! Automated email scams do not have access to your computer.
• Use Fraud Buster to check the authenticity of messages that seem to come from the IRS, or look like sextortion attempts.
• Install Trend Micro Security to block phishing messages and the malicious software that they try to deliver.