Beware of Phishing Scams this Tax season!
National Cyber Awareness System:
ST15-001: IRS and US-CERT
Caution Users: Prepare for Heightened Phishing Risk This Tax Season
12:00 AM EST
Original release date: January
Throughout the year, scam artists pose as legitimate entities—such as the
Internal Revenue Service (IRS), other government agencies, and financial
institutions—in an attempt to defraud taxpayers. They employ sophisticated
phishing campaigns to lure users to malicious sites or entice them to activate
malware in infected email attachments. To protect sensitive data, credentials,
and payment information, US-CERT and the IRS recommend taxpayers prepare for
heightened risk this tax season and remain vigilant year-round.
Phishing attacks use email or malicious websites to solicit personal information
by posing as a trustworthy organization. In many successful incidents,
recipients are fooled into believing the phishing communication is from someone
they trust. An actor may take advantage of knowledge gained from research and
earlier attempts to masquerade as a legitimate source, including the look and
feel of authentic communications. These targeted messages can trick any user
into taking action that may compromise enterprise security.
elements of the phishing lifecycle
1. A Lure: enticing email
o Example 1 of
actual phishing emai
o Example 2 of
actual phishing email
2. A Hook: an email-based
o Email with embedded malicious
content that is executed as a side effect of opening the email
o Email with malicious attachments
that are activated as a side effect of opening an attachment
o Email with “clickable” URLs: the
body of the email includes a link, which displays as a recognized, legitimate
website, though the actual URL redirects the user to malicious content.
3. A Catch: a transaction
conducted by an actor following a successful attempt.
o Unexplainable charges
o Unexplainable password changes
Understand how the
IRS communicates electronically with taxpayers
- The IRS does not initiate contact with taxpayers by
email, text messages or social media channels to request personal or
- This includes requests for PIN numbers, passwords or
similar access information for credit cards, banks or other financial
- The official website of the IRS is www.irs.gov.
Take action to
avoid becoming a victim
If you believe you might have revealed sensitive information about your
organization or access credentials, report it to the appropriate contacts
within the organization, including network administrators. They can be alert
for any suspicious or unusual activity.
Watch for any unexplainable charges to your financial accounts. If you
believe your accounts may be compromised, contact your financial institution
immediately and close those accounts.
If you believe you might have revealed sensitive account information,
immediately change the passwords you might have revealed. If you used the same
password for multiple accounts, make sure to change the password for each
account and do not use that password in the future.
- Email: If you read an email claiming to be from the
IRS, do not reply or click on attachments and/or links. Forward the email
as-is to firstname.lastname@example.org, then
delete the original email.
- Website: If you find a website that claims to be the
IRS and suspect it is fraudulent, send the URL of the suspicious site to email@example.com with subject line,
- Text Message: If you receive a suspicious text message,
do not reply or click on attachments and/or links. Forward the text as-is
to 202-552-1226 (standard text rates apply), and then delete the original
message (if you clicked on links in SMS and entered confidential
information, visit the IRS’ identity
If you are a victim of any of the above scams involving IRS impersonation,
please report to firstname.lastname@example.org, file a report
with the Treasury Inspector General for Tax Administration (TIGTA), the Federal
Trade Commission (FTC),
and the police.
For more information on phishing, other suspicious IRS-related
communications including phone or fax scams, or additional guidance released by
Treasury/IRS and DHS/US-CERT, visit:
To report a cybersecurity incident, vulnerability, or phishing attempt,
Author: US-CERT and IRS