Don’t let tax scammers make April the cruelest month

Taylor Armerding
6 min readFeb 14, 2022


As we are reminded yearly at about this time, it’s not much fun to prepare your tax return. But it’s a lot less fun — and a lot more expensive — if you get scammed or hacked along the way.

And the unfortunate reality is that you’re at risk. Cybercriminals, who ramp up their efforts at tax season, are getting much more sophisticated at separating you from the money that, as a good citizen, you’re trying to pay to the government. In fact, they’re trying to separate you from a lot more money than what you owe in taxes.

That means we need to amend the cliché — death and taxes are no longer the only certainties in life. Cyberattacks are too. Which means it’s worth paying attention to advice from the Internal Revenue Service (IRS) and other experts on how to keep April from becoming a crueler month than it is already.

True, it’s much more convenient (and saves reams of paper) to do your taxes online. Also, as Thomas Richards, principal security consultant with the Synopsys Software Integrity Group, puts it, “filing taxes online using professional tax companies is no more risky to the consumer than using online banking,” which is now mainstream.

But keep in mind that those digital forms include your address, Social Security number, W-2 wage statements, bank account information, and 1099 forms covering income sources ranging from interest to IRAs, investments, partnerships, annuities, and more.

Added to all that could have been even more risky data — a digital image of your face. It almost was. Until last week, the agency was moving toward a plan that, by summer, would have required taxpayers to furnish a selfie to access their records at the IRS website.

The plan, when it became public last month thanks to security blogger Brian Krebs, aroused ferocious bipartisan opposition in Congress. And last week, the agency backed off, announcing that it was “transitioning away from using a third-party service for facial recognition to help authenticate people creating new online accounts.”

Shared interests

This may come as yet one more confirmation that the IRS is not your friend. You’re right — it’s not. But when it comes to your tax returns, you and the agency have some shared interests. It wants to collect what you owe, make sure you get any refund you’re owed, and not see either get siphoned off by a criminal. Presumably those are your goals as well. So you should welcome any and all efforts to help you recognize and block online criminals. The good news is that they’re available.

As the IRS puts it on a page warning of multiple techniques scammers use, “Thousands of people have lost millions of dollars and their personal information to tax scams. Scammers use the regular mail, telephone, or email to set up individuals, businesses, payroll and tax professionals.”

Those attacks are called phishing — attempts to trick people into opening a malicious attachment or clicking a malicious link by posing as a person or organization that relates to your taxes.

Not surprisingly, they have become much more credible over the years. No longer are there rampant spelling or grammatical errors. The attackers frequently have already collected some personal or business information about their targets, and furnish fake IRS badge numbers and other “authentication.”

Just a couple of many examples: Intuit, which includes TurboTax among its products, posted a notice a couple of weeks ago that an email purporting to come from the Intuit Maintenance Team warns recipients that “we have temporarily disabled your account due to inactivity” and that it’s “compulsory that you restore your access within next (sic) 24 hours.”

That, of course, requires clicking a link and is, of course, a scam. “The sender is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit,” the company said.

Multiple targets

Tax professionals are targets as well. The IRS warns every year that online scammers will try to impersonate the agencyand steal electronic filing identification numbers.

One bogus email claims it’s all about creating better security. “To help protect both you and your clients from unauthorized/fraudulent activities, the IRS requires that you verify all authorized e-file originators prior to transmitting returns through our system,” it says. “That means we need your EFIN (e-file identification number) verification and driver’s license before you e-file.”

Tax preparers who fall for the scam can enable criminals to “steal client data and tax preparers’ identities that will allow them to file fraudulent tax returns for refunds,” the IRS said.

Beyond all that, the ongoing pandemic has spawned yet more government paperwork covering things ranging from stimulus payments to enhanced unemployment benefits and the child tax credit. Those have simply expanded the “attack surface” for cybercriminals.

That makes all of us more vulnerable when working our way through what can seem like a byzantine pile of forms, worrying that the smallest mistake could result in fines or other penalties.

“Tax time is a confusing and frustrating time for filers,” said Richards. “Attackers can take advantage of this and craft scenarios saying something is wrong with a filer’s tax return or that there was a change to a tax filing that requires action from the filer.”

In the face of all this, how can anyone — average citizen or tax professional — avoid becoming a victim? It’s possible. It just takes vigilance and a healthy level of paranoia because they really are out to get you.

Perhaps most important, you need to know how the IRS does — and doesn’t — contact taxpayers. The agency never initiates contact via email, text, or social media channels. It doesn’t ask for private financial information like a PINs, passwords, or other access information for credit cards, banks, or other financial accounts. It also doesn’t demand payment with any specific payment method like a prepaid debit card or wire transfer.

“The IRS only sends official letters through the mail,” Richards said. “If you receive an email, text, or phone call from someone stating they are from the IRS, it’s fake. And any request for you to take immediate action or there will be a penalty is also most likely a scam.”

The IRS says there are some circumstances when its agents will call or come to a home or business, “such as when a taxpayer has an overdue tax bill, to secure a delinquent tax return or a delinquent employment tax payment, or to tour a business as part of an audit or during criminal investigations.”

But in those cases, the agency will have first sent out several advance notices by mail. The call or visit should not be a surprise, nor conducted like a no-knock warrant.

Here are a few other things the IRS will not do.

  • Call taxpayers to tell them they’ve got a large refund coming but must provide some personal information to confirm it
  • Threaten to bring in local police or other law-enforcement to have the taxpayer arrested for failure to pay
  • Demand that taxes be paid without providing an opportunity to question or appeal the amount owed
  • Ask for credit or debit card numbers over the phone

In short, never provide personal or financial information in a communication — email, text, or phone — that you didn’t initiate.

And this applies to tax professionals as well, who may be savvy to every accounting trick or deduction in the tax code, but don’t have their antennae up for scammers posing as clients.

The IRS warned early in the pandemic that “fraudsters are using pandemic-related themes in their phishing attempts to steal client data, posing as clients or potential clients trying to get in touch with a tax pro digitally through emails or text messages, and then try to trick them into clicking links or opening attachments that infect their computer systems.”

That, of course, could give them access to the personal and financial information to hundreds or thousands of taxpayers, without those taxpayers having made a mistake.

So perhaps before hiring a tax pro, ask about their cybersecurity awareness.

“Unless there is a valid business reason to accept a link from a potential customer, tax professionals should never click them or open attachments,” Richards said. “If the customer is already established, the tax professional should verify the email address before responding or taking any action with the contents.”

That kind of healthy paranoia will make it much more likely that you’ll get through April unscathed and be able to enjoy every other month of the year.



Taylor Armerding

I’m a security advocate at the Synopsys Software Integrity Group. I write mainly about software security, data security and privacy.