I had an email in my inbox yesterday which allegedly contained a voicemail from the Internal Revenue Service (IRS). Here’s part of what the email looked like:
There are two things you should know for context. One, since I represent taxpayers, I do get voicemail from the IRS. And two, since I have a digital phone line, I often have my voicemail emailed to me. So it’s not completely unlikely that I’d receive an email with a voicemail from the IRS. This one, however, is clearly a scam.
There was no voicemail. The email wasn’t from my regular voicemail provider and instead directed me to a SharePoint URL. I don’t use SharePoint, but I do know that last year there were a number of SharePoint phishing scams. In some cases, the scammers attempted steal Office 365 credentials from victims, and in other cases, the scammers used the links to spread malware. In most cases, the scams targeted businesses: that lines up with the email I received since it was sent to one of my business email accounts.
It was clear to me that the email wasn’t legitimate, but since I haven’t yet heard about this particular variation on the IRS impersonation schemes, I followed up with some folks at IRS. I asked whether they’ve received reports about what looks like a new trick. They had not, so I was inclined to dismiss it as a one-time thing.
Today, I received another email. Same general format and text, but a different “from” email address (for the record, neither of sender addresses were IRS email addresses). I suspect that means that the scam is in the early stages of making the rounds.
Remember the phone scams where the callers were allegedly from IRS? They started slowly, too, but at one point, I received up to three in one day. And IRS-related email scams also escalated: the IRS issued a warning to taxpayers last December about a surge of new email phishing scams.
The reality is that thieves and scammers aren’t giving up; they’re just trying new tricks. As always, the Internal Revenue Service (IRS), state tax agencies and the nation’s tax industry remind taxpayers to be alert. According to IRS Commissioner Chuck Rettig, tax season can provide “opportunities for scam artists to try stealing valuable information through fake emails.” Just last year, the IRS noted a 60% increase in bogus email schemes that seek to steal money or tax data.
In my case, the emails were easily distinguished from my normal voicemail emails. However, it’s clear that scammers are getting better at targeting taxpayers, as well as impersonating the IRS, federal agencies, and financial institutions.
If you’re not sure whether a link in an email might be safe, don’t click and don’t respond to the email. You can forward suspicious IRS-related emails to [email protected]—then hit delete (check with other federal agencies or financial institutions for their protocol).
Here are a few more tips on how to protect yourself:
- If you receive a call from someone claiming to be from the IRS, and you do not owe tax, or if you are immediately aware that it’s a scam, don’t engage with the scammer and do not give out any information. Just hang up.
- If you receive a telephone message from someone claiming to be from the IRS, and you do not owe tax, or if you are immediately aware that it’s a scam, don’t call them back.
- If you receive a phone call from someone claiming to be with the IRS, and you owe tax or think you may owe tax, do not give out any information. Call the IRS back at 1.800.829.1040 to find out more information.
- Never open a link or attachment from an unknown or suspicious source.
- If you’re not sure about the authenticity of an email, don’t click on hyperlinks. A better bet is to go directly to the source’s main web page.
- Use security software to protect against malware and viruses found in phishing emails.
- Use strong passwords to protect online accounts and use a unique password for each account. Longer is better, and don’t hesitate to lie about important details on websites since crooks may know some of your personal details.
- Use two- or multifactor authentication when possible. Two-factor authentication means that in addition to entering your username and password, you typically enter a security code sent to your mobile phone or other device.
As a reminder, the IRS will never:
- Call to demand immediate payment over the phone, nor will the agency call about taxes owed without first having mailed you a bill.
- Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.
- Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
- Require you to use a specific payment method for your taxes, such as a prepaid debit card, gift card or wire transfer.
- Ask for credit or debit card numbers over the phone.
Don’t fall for the tricks. Keep your personal information safe by remaining alert. And, when in doubt, assume it’s a scam. For tips on protecting yourself from identity theft-related tax fraud, click here.