The IRS is warning of a phishing scam that promises refund information but looks to capture Social Security numbers and other sensitive data.
With tax season in bloom, cybercriminals have launched a series of phishing attacks aimed at university students and employees eager to receive potential tax refunds.
SEE: Identity theft protection policy (TechRepublic Premium)
On Tuesday, the IRS issued a warning about a new and ongoing campaign targeted at students and staffers primarily at educational institutions, including those that are public and private as well as profit and nonprofit. The IRS said that its firstname.lastname@example.org address has received complaints about this scam over the past few weeks from people with .edu email addresses.
Spoofing the tax agency, the emails display the IRS logo and tout subject lines such as "Tax Refund Payment" and "Recalculation of your tax refund payment." Recipients are told to click a link and submit a form to claim their refund.
But to collect their alleged tax bounty, users must supply an array of details, including Social Security number, name, date of birth, full address, annual gross income, driver's license number, and electronic Filing PIN. Of course, all of that represents a bounty of information for the scammers to steal and exploit.
"These attackers are attempting to gather a significant amount of personal information from the victim by sending them to a form that is made to appear like an official IRS form but is really controlled by the cybercriminals and delivers the data entered right into their hands," KnowBe4 security awareness advocate Erich Kron told TechRepublic. "This information can be used to file fraudulent tax returns on the behalf of the victim, steal their identity and can later be sold on the Dark Web as well, resulting in years of sorting out problems for the victims."
Anyone who receives one of these emails should naturally avoid clicking the link in the message. Instead, report the email to the IRS. To do this, save and send or forward the email as an attachment to email@example.com. The IRS added that the Treasury Inspector General for Tax Administration and IRS Criminal Investigation are both aware of the scam.
Rather than respond to emails, those who think they're due a refund should check their status at the Where's My Refund page at the IRS website. Taxpayers should also consider obtaining an Identity Protection PIN. Through this free, voluntary, opt-in program, the IRS provides you with a six-digit number that you include with your tax return as a way to stop criminals from filing phony returns in your name.
Any taxpayer whose electronic tax return is rejected because one with their Social Security number has already been filed should fill out a Form 14039, Identity Theft Affidavit PDF. This affidavit signifies that you may have been the victim of identity theft. The IRS's Identity Theft Central site also offers tips on how to avoid or deal with identity theft.
But education is the best way to avoid falling for one of these scams, according to Kron.
"Individuals should be trained to be cautious of any emails that cause a strong emotional response, ask for urgent actions or that request sensitive personal information," Kron said. "People should always check the URL bar in their browser before entering any information into a form and should be aware that instead of following a link to another page, they can go directly to the IRS.gov website and check on the status of their tax refund or filing."
- How to become a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)