It’s tax season. And it’s not just the IRS after your money.
Tax time is a special time for cybercriminals. People are on edge, eager for their refund or dreading their bill. Perfect prey.
You’ve seen those fake IRS emails. You’re threatened with jail, fines, and a miserable life if you don’t click to provide your bank account number. Or teased with unexpected refunds due to mysterious “calculation errors.”
“In order for us to return the excess payment, you need a create a e-Refund account…”
Seriously? If the IRS wants to send you money, it already knows how. Its adding machines work fine.
Email tax scams are just one type of cybercrime: phishing, denial-of-service (DoS) attacks, malware that can physically damage systems or data, and more. (Fake IRS emails, by the way, are popular with cybercrooks all year long.)
Cybercrime generally has one of two goals: get your money now, or get your personal information now to get your money, or more, later.
It can get much worse. Malware (including ransomware) can destroy your business. Nearly two-thirds of businesses that experience a cyberattack fail within six months; they never recover from the losses.
And 92 percent of cyberattacks come through email.
What This Series Is About
One of your best defenses against cybercrime and cyberattacks is, in a word, education. Everyone in your organization should know how to recognize tax scams and other suspicious emails, and how to respond to a cyberattack.
To that end, this article is the first in a three-part series that explains how to:
- Recognize tax scams and other phishing attacks,
- Respond during and after a cyberattack, and
- Protect yourself and your organization against future attacks.
Read Parts 2 and 3:
Part 2 – How to Spot (and Block) Email Phishing Scams
Part 3 – How to Respond to Ransomware and Malware Cyberattacks
The Very Large Size of the Problem
No device is safe. Ransomware and other malware can infect desktop computers, network servers, mobile phones, tablets, printers, even smart TVs and gaming consoles.
Moreover, the spate of ransomware attacks in 2017 — one targeting mainly hospitals and government agencies — showed that cybercrime is often international and able to single out entire industries.
According to studies, the cybercrime “industry” itself likely raked in more than $1.5 trillion in profits in 2018. As a country, cybercrime would have the 13th largest Gross Domestic Product (GDP) in the world.
The cybercrime economy looks like the “real” economy. Cybercriminals range from solopreneurs to multinational corporations. In fact, some cybercrime has adopted the model of “platform capitalism” with Cybercrime-as-a-Service (CaaS).
(But it seems the pay is better. Cybercriminals “earn about 10-15% more than their counterparts in traditional crime,” writes Hashed Out.)
In short, cybercriminals send a lot of emails, their main line of attack. They do it because 30 percent of those emails get opened, making the criminals rich. Some 12 percent of email users fall victim.
Will you be one of them this tax season?
How the IRS Communicates: Myths and Facts
Whatever you may think about the IRS, they know how to write letters.
The letters are not literature, not warm or conversational, not even in a nice font.
But they’re articulate. They’re informative, with detailed instructions and copious contact info. There are no spelling or grammar mistakes. The letter explaining their payment plan is not terse or cryptic but five pages long! What to do is not a mystery.
So the first thing you need to know is this — from its own website:
“The IRS does not use email, text messages or social media to discuss tax debts or refunds with taxpayers.”
In short, if you get an email claiming to be from the IRS, it’s not from the IRS.
When the IRS wants your attention, it mails you a well-written, good-old-fashioned letter in an envelope. Except in rare situations, the IRS always reaches out through the US Postal Service first.
What the IRS Will and Won’t Do
On this page the IRS describes in detail exactly how they contact taxpayers, and what they will and won’t ask you.
Here are some key items. The IRS will not:
- Contact you or discuss your taxes by email, text, or social media;
- Demand immediate payment using a specific method, e.g. wire transfer, debit card;
- Ask for debit or credit card numbers over the phone;
- Threaten to call the cops to have you arrested;
- Demand payment without giving you the opportunity to question or appeal the amount owed;
- Revoke a license or immigration status (it has no authority to do that);
The IRS will inform you of your rights as a taxpayer.
If the IRS is planning to visit your business for an audit or inspection, they’ll usually inform you by letter first.
If they assign you to a private collection agency (PCA), both the IRS and the agency will send you a letter informing you of the assignment.
The IRS uses only four authorized PCAs, and will refer your account to only one of them, never all four. PCA representatives:
- Will identify themselves and ask for payment to the U.S. Treasury, never to a third party;
- Will not take enforcement action.
Continue Your Tax Scam Education
In this article, we’ve covered how to be sure you’re actually dealing (or not) with the IRS.
The main point again:
If it’s an email, it’s not from the IRS.
In the next article, you’ll learn how to identify dangerous emails that appear to be from Amazon, UPS, and other familiar companies. (Many of the telltale signs apply to fake IRS emails too, but now you know to ignore those emails automatically.)
As you’ll see, these phishing emails are the exact opposite of the long, detailed missives from the IRS. They’re vague and badly worded, with suspicious links. Read ”How to Recognize (and Block) Phishing Scams” to learn more (coming Feb. 13).
In the meantime (or any time), here are the IRS’s own resources on how to recognize and protect yourself:
Read the complete series from PC Professional:
Part 1 – It’s Tax Time: How to Protect Yourself from Email Tax Scams (this post)