March 10, 2017
Nothing is certain except death and taxes—and phishing scams every tax season. "Phishing" is defined as identity theft taking place over the Internet. According to the IRS, phishing and malware incidents rose 400 percent in the 2016 tax season. Based on recent IRS alerts, these incidents have not diminished in the 2017 tax season. Both this year and last year, the IRS has discovered phishing schemes targeting tax professionals, payroll workers, human resources personnel, schools, individual taxpayers, and more.
Phishing Schemes Involving HR and Payroll Professionals
The IRS recently issued an alert to payroll and human resources professionals about phishing emails. These emails, purporting to be from company executives, request personal information about employees. Recipients who believed the emails to be trustworthy official communications have sent the scammers payroll data such as W-2 forms and employees’ social security numbers.
This type of phishing expedition, in which a scammer’s email is disguised as coming from a source the receiver knows and trusts, is called "spoofing." But it is no joke. The scammers’ goal is to collect money, passwords, social security numbers, and other information that can lead to identity theft, or to infect the recipient’s computer with malware that gives the scammer access to sensitive files or allows him to track keyboard strokes that expose login information.
Reacting to Suspicious Emails
If a recipient of an email purporting to be from a company executive is unsure about its legitimacy, she should check the sender’s email address against the email address in her records. Often, the fake email may have a missing or added period or letter. If the address is exactly the same, the recipient should call the executive to verify the email.
Generic requests for information should set off alarm bells. Fraudulent emails often are not personalized; many phishing emails begin with "Dear Sir/Madam."
Confidential information should not be submitted via forms embedded within email messages.
If there is any doubt as to the authenticity of links in an email purporting to connect to a website, the recipient of the email should open a new browser window and type the URL directly into the address bar.
www.OnGuardOnline.gov provides guidance to people who unwittingly clicked on a malicious email link or downloaded an attachment containing malware.
Ten Suggestions for Defending Against Phishing Attempts
Where to Report Email Scams
The FTC requests that phishing emails be reported here:
The IRS recommends forwarding phishing emails to firstname.lastname@example.org and forwarding emails with malware that have not been clicked on or downloaded to email@example.com
If you have any questions about your organization’s data security or privacy issues, please contact us at (562) 653-3200.