Tax Phishing Scams Are Back: Here Are 3 to Watch Out For

This Year's Crop of Tax Phishing Scams Target Individuals, Employers, and Tax Preparers

This Year’s Crop of Tax Phishing Scams Target Individuals, Employers, and Tax Preparers

Tax season is stressful enough without having to worry about becoming the victim of a cyber crime. Here are three different tax phishing scams targeting employers, individuals, and even tax preparers that are currently making the rounds.

This Year's Crop of Tax Phishing Scams Target Individuals, Employers, and Tax Preparers

Employers: W-2 Phishing Emails

The W-2 phishing scams that have plagued employers for a couple of years are back with a vengeance. The IRS noticed a significant uptick in these tax phishing scams beginning in January and recently issued an official warning. Also known as spear phishing or business email compromise (BEC) scams, these campaigns differ from traditional phishing scams in that they are highly targeted. They are sent to specific employees within organizations who have access to employee tax data, usually human resources personnel, and often appear to come from a company executive. Occasionally, the IRS reports, the email will request a wire transfer along with employee W-2 data.

Individuals: Phony “Tax Notification” Emails

While the hackers behind this particular scam are not seeking tax ID data, they are harnessing the stress of tax season and victims’ fear of the IRS to get them to click on phishing links. The targets are Microsoft 365 users, and Dark Reading reports that “tens of millions” may have received the emails. The messages purport to be from the IRS, warn recipients that there is some sort of problem with their taxes and that dire consequences will result if they do not take immediate action, and include attachments with names such as “taxletter.doc.” Downloading and opening the attachment installs password-stealing malware on the victim’s machine.

Tax Preparers and Individuals: New Tax ID Theft Phishing Scheme

These highly sophisticated tax phishing scams are executed in two phases. In the first phase, hackers send traditional or spear phishing emails to tax preparers, which install malware on their computers and allow the hackers to steal client tax and bank account data.

In the second phase, the hackers use the data to file fraudulent tax returns – then have IRS refunds deposited in the victims’ bank accounts. In some cases, the return is filed using one victim’s tax data and the money deposited in another victim’s bank account. The bank account owners are then contacted by someone claiming to be an IRS representative, demanding that they take specific (and irreversible) steps to “return” the money.

Fighting Back Against Tax Phishing Scams

There are several ways to prevent falling victim to these and other tax phishing scams. Organizations should ensure that all employees are trained to identify phishing emails, including spear phishing, have a specific and clear procedure to report suspicious emails, and take all other appropriate proactive cyber security measures. Individuals should also be aware of the warning signs of a phishing email, including text written in broken English and return addresses that appear to be off, such as a government agency with a .com address.

The IRS requests that suspected tax-related phishing emails be forwarded to If you receive an erroneous refund deposit to your bank account, follow the IRS’s instructions for returning it:

  1. Contact the Automated Clearing House (ACH) department of the bank/financial institution where the direct deposit was received and have them return the refund to the IRS.
  2. Call the IRS toll-free at 800-829-1040 (individual) or 800-829-4933 (business) to explain why the direct deposit is being returned.
  3. Interest may accrue on the erroneous refund.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Lazarus Alliance