Industry News

Tax-related phishing scams and malware attacks have quadrupled, says IRS


The IRS says that the number of reports it has received of phishing and malware schemes targeting US consumers have rocketed this tax season – claiming that it has seen an “approximate 400 percent surge”.

Across the country official-looking communications are being received, claiming to come from the IRS and companies that develop accounts software and provide services for assisting in the preparation of tax returns. And the tax-related criminal campaigns are not just being distributed via email, but are also being sent via SMS text messages.

Often the fraudulent communications attempt to crowbar personal information out of innocent tax payers, or verify passwords and PIN information.

The reason for the attacks? Yes, online criminals want to exploit innocent victims’ personal tax details, and use them to file false tax returns. But on many occasions the attackers will often simply use tax as a lure to trick users into endangering their computer’s safety in the first place, before planting ransomware or other malicious attacks onto a victim’s PC.

In all, the IRS says it has had 1,026 malware and phishing incidents reported to it already this year, compared to 254 in the same time period last year. And with the official tax deadline still two months away, it’s clear that the problem is only going to get worse.

It’s clear that things have got pretty bad when you see what Intuit, the developer of well-known accounting software for individuals and small businesses such as TurboTax, Mint, QuickBooks and Quicken, is doing about it.

To its credit, Intuit maintains an online security center which is regularly updated with details of new email scams that have targeted its customers.

Here is just one of the examples of scams seen this week, posing as message from TurboTax, and urging unsuspecting customers into clicking on a dangerous link in order to “reactivate” their account.


Aside from phishing attacks, some fraudsters are also attacking computer users with malicious emails that link to websites harbouring keylogging spyware.

IRS Commissioner John Koskinen has warned users to be wary of unexpected tax-related emails in their inbox:

“This dramatic jump in these scams comes at the busiest time of tax season. Watch out for fraudsters slipping these official-looking emails into inboxes, trying to confuse people at the very time they work on their taxes. We urge people not to click on these emails.”

The IRS has, of course, been of interest to online organised criminals for years and the idea of duping users into handing over their personal information by pretending to be the taxman is nothing new. But things got more serious last year, when as many as 334,000 taxpayer accounts were breached.

I suspect what makes tax-related scams and malware attacks so successful, however, is that – unlike online businesses – we cannot chose *not* to deal with the IRS and other tax agencies around the world. So, for many people, a communication from the taxman or from a software vendor that provides tax services doesn’t seem so strange – and they let their guard down.

Stay clued up about the latest threats, and always exercise a healthy skepticism about the messages that arrive in your inbox, and the text messages you receive on your phone.

About the author


Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.


Click here to post a comment
  • I live in New Zealand, originally from UK, and I have received several of these emails recently. Gmail usually marks them as spam. It amuses me to read them sometimes as in New Zealand we do not have an “IRS” and the few companies who will check if a refund is due, generally for 12.5 to 15 % of any refund, are well known and advertise on TV.

  • Just pointing out the typo to the editor, if in fact this is read by them (because I’m too lazy to mail Graham):

    ‘we cannot chose *not* to deal with the IRS and other tax agencies around the world.’

    There is of course a missing ‘o’ in ‘chose’ as it should be ‘choose’.