Every April, tax season brings panic and confusion to millions across the United States. If that wasn't bad enough, it's also accompanied by a wave of potentially costly tax-related scams and insidious Internal Revenue Service (IRS) impersonations.
The best way to defend against these ploys is to arm yourself with information. Luckily, Snopes has been fighting and debunking IRS and tax scams for two decades. Here's some of what we've learned.
Why IRS and Tax Scams Are So Widespread
Over the years, IRS scams have taken various forms: phishing; malware; ransomware; spear phishing; and so on. Their levels of technological sophistication vary, as do the degree of human interaction required to make the con work. In general, though, as we have observed many times, three primary reasons explain why IRS and tax scams are so popular and, at times, so successful:
- Authority. Few government agencies elicit panic and fear the way that the IRS does. An email from your local borough council, or the county assessor's office might grab your attention. An email or text message that appears to be from the IRS definitely will, and that's a good start for any would-be scam.
- Universality. If you don't own a car, an auto insurance con is going to fall at the first hurdle. Unless you have an account with Bank of America, a scary-looking email from that company won't work on you. But the vast majority of adults in the U.S. have dealings with the IRS, so tax scams automatically cast a wide net and get a head start.
- Confusion. For many people, filing taxes can be confusing and intimidating. The write-offs, the credits, the arithmetic — even otherwise competent and intelligent adults can end up feeling dizzy and lacking in confidence every April. Tax scams feed off that lack of subject matter familiarity, bewildering victims with official and serious-sounding warnings, or seducing them with the prospect of an unexpected windfall.
Phishing and Identity Theft: The Number One Threat in Tax Scams
Some of the IRS scams we've examined over the years have involved ransomware, such as a 2017 ploy that targeted tax-preparation professionals and accountants, and tricked them into clicking on a link that installed a crippling virus in their devices. Similarly, in 2009 scammers sent emails purporting to be from the IRS, and accusing the recipient of tax fraud (an attention-grabbing introduction). The emails contained a link that harbored a .exe file — a clear sign of a malware plot.
However, typically scams consist of phishing — a highly prevalent scamming technique that involves, typically, using an email or text message to trick an internet user into providing personal information (such as Social Security Number, bank account number, home address) which they would not normally disclose.
What could persuade taxpayers to hand over precious and private personal details to an unseen correspondent? In general, two things: fear and excitement. The IRS phishing attacks we've encountered in recent years have usually fallen into those two categories: warnings that the recipient has underpaid, and needs to submit further payment to avoid penalties and prosecution; or emails, voicemails, and text messages cheerfully informing them that they are owed a refund, and will get their money if they provide various personal information.
As far back as 2002, Snopes documented a phishing scam in which the perpetrators mailed bogus IRS forms to unwitting taxpayers, deceiving them into faxing back their bank details, Social Security Numbers and PINs:
The technology may have moved on since then, but the basic principle remains the same.
In 2006, for example, a relatively rudimentary scam caused havoc using the exciting offer of an unexpected tax refund amounting to either $63.80 or $163.80. The body of the email contained a link that appeared to take recipients to the IRS website, but in fact directed them to a phony site that solicited private details, like their credit card number and CVV code.
By contrast, an especially insidious con from 2015 targeted business owners, informing them by email that a criminal complaint had been filed against them for tax evasion, and they could read the charges by clicking on an innocuous-looking "IRS" link, which in reality harbored malware.
COVID-19 Brings New Wave of Scams
In difficult periods, scammers also play on the most desperate hopes and fears of ordinary taxpayers. For example, Snopes tracked a significant wave of tax cons during the U.S. financial crisis of 2008 and 2009, with members of the public tricked into disclosing personal details with the false promise of a tax refund or stimulus check.
During the COVID-19 pandemic, those patterns have repeated. In addition to the types of scams Snopes has monitored for many years, here's a breakdown of some of the newer variants that have emerged in the past 12 months or so, according to the IRS itself:
- Spear phishing attack on tax-prep professionals: Scammers pose as clients, send emails back and forth to gain trust, then send malware disguised as a copy of their tax returns. The virus gives scammers access to the victim's device and allows them to either change bank account details on tax returns in order to steal funds, or to freeze the files and demand a ransom.
- "Stimulus" text message scam: Victims receive an unsolicited ("out of the blue") text message purportedly from the IRS, flagging non-existent COVID-related "stimulus payments" and inviting the victim to click on various links.
- Bogus unemployment benefits: Because unemployment benefits are taxable income, recipients need to file IRS Form 1099-G. However, scammers have been sending out bogus forms, then stealing the personal information sent back to them by unsuspecting victims.
- Phone threats: Scammers leave threatening voicemail messages for victims, presenting themselves as IRS agents and warning recipients they will be arrested, deported, or face criminal prosecution if they don't call back. This scam can be especially insidious because perpetrators can use caller ID "spoofing" to make their phone number appear legitimate and correct.
How to Identify IRS Impersonation
In general, readers can defend themselves against tax-related identity theft and bogus IRS phishing attacks by bearing in mind the following:
- The IRS does not use email to initiate contact with taxpayers
- The IRS almost never calls a taxpayer on the phone, or visits their home or place of work
- The IRS does not demand immediate payment upon first contact, without informing you of your right to contest a bill
- The IRS does not demand payment with a specific method, or without first mailing out a bill
- The IRS cannot, and does not, threaten members of the public with arrest or deportation over an alleged outstanding tax bill
For reliable IRS contact details to report possible scams, and for further details on how the agency interacts with the public, check out the official IRS website.