The “IRS Refunds” scam is a common tactic used by cybercriminals to trick people into opening a link or attachment associated with the email. This link takes people to a fake page where thieves try to steal personally identifiable information, such as Social Security numbers.
Often these links or attachments also secretly download malware that can perform many functions, such as giving the thief control of the computer or tracking keystrokes to determine other sensitive passwords or critical data.
The IRS does not randomly contact taxpayers or tax professionals via email, including asking people to confirm their tax refund information. The IRS initiates most contacts through regular mail delivered by the United States Postal Service.
However, there are special circumstances in which the IRS will call or come to a home or business, such as when a taxpayer has an overdue tax bill, to secure a delinquent tax return or a delinquent employment tax payment, or to tour a business as part of an audit or during criminal investigations.
Even then, taxpayers will generally first receive several letters (called “notices”) from the IRS in the mail.
Note that the IRS does not:
Demand that taxpayers use a specific payment method, such as a prepaid debit card, gift card or wire transfer. The IRS will not ask for debit or credit card numbers over the phone. Taxpayers should make check payments to the “United States Treasury” or review IRS.gov/payments for IRS online options.Demand that taxpayers pay taxes without the opportunity to question or appeal the amount they say is owed. Generally, the IRS will first mail a bill to those who owe any taxes. Taxpayers should also be advised of their rights as a taxpayer.Threaten to bring in local police, immigration officers or other law-enforcement to have taxpayers arrested for not paying. The IRS also cannot revoke a driver’s license, business license or immigration status. Threats like these are common tactics scam artists use to trick victims into buying into their schemes.
With scams like these circulating, taxpayers and tax professionals should take ongoing security precautions to protect their identities and their computer networks from identity thieves.
Here are a few basic security steps for taxpayers:
Always use security software with firewall and anti-virus protections. Make sure the security software is always turned on and can automatically update. Encrypt sensitive files such as tax records stored on computers. Use strong, unique passwords for each account.Learn to recognize and avoid phishing emails, threatening calls and texts from thieves posing as legitimate organizations such as banks, credit card companies and even the IRS. Do not click on links or download attachments from unknown or suspicious emails.Protect personal data. Don’t routinely carry Social Security cards, and make sure tax records are secure. Shop at reputable online retailers. Treat personal information like cash; don’t leave it lying around.
Here are few basic security steps for tax professionals:
Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider or cloud storage provider. Never open a link or any attachment from a suspicious email. Remember: the IRS never initiates initial contact with tax pros via email.Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.Review internal controls:Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.Use strong and unique passwords of 10 or more mixed characters, password-protect all wireless devices, use a phrase or words that are easily remembered and change passwords periodically.Encrypt all sensitive files/emails and use strong password protections.Back-up sensitive data to a safe and secure external source not connected fulltime to a network.Wipe clean or destroy old computer hard drives that contain sensitive data.Limit access to taxpayer data to individuals who need to know.Check IRS e-Services account weekly for number of returns filed with EFIN.Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alert and Social Media.