Watch Out for Last Minute IRS Scams that will Target You Even After You’ve Filed

Every once in a while, you should look in your spam folder. For whatever reason, I sometimes find valid, non-spam emails there. Most of the spam is obvious. Amazon keeps wanting to give me free gift certificates, Russian women are dying to meet me, and I can become wealthy working from home. However, if I see a message that reads, “Important Information from the IRS”, I have trouble just ignoring it. What if it really is important information? So the criminals have gotten me to step 1 of their attack. Take the email seriously and open it. A good subject line is the key to the attack. If the email manages to bypass the spam filter and get into my inbox, so much the better.

Upon opening the email, I may get something that looks like this.

irs phish

This is where part 2 of the scam kicks in; getting you to believe the message is real. Well, it has the right logo. It may, in fact, be a copy of a real IRS message. There is even a warning that looks real. Then there’s the appeal to the reader’s greed. Don’t we all hope that one day the IRS will find that they owe us money for a change? Maybe this is that moment!

Everything is good except for the link. Depending on what the attacker wants, clicking on the link could do just about anything. At best, you could be led to a site with a form that collects your personal data. At worst, it could install ransomware on your device and make you pay to get your files back. Some of the fake emails don’t have links. They will have a document for you to open and fill out so that you can get your refund. Opening the document will install the malware. Just a note of caution here. If you go so far as being fooled into opening a Word document file, you are not compromised unless you allow macros. The fake document may even give you instructions on doing this because the document will appear as gibberish. In order to read it, you are told to allow macros. At this point, it depends on how much you want the fake refund. By default, Word disables macros. If you are not sure of your settings, you can check them in your tools/options/security menus or trust center/macro settings.

Remember also that attachments can be given valid looking names and links can be called anything that seems to match the contents of the message. Don’t believe them on face value. Check the link in the email by hovering the cursor over it and looking at the real link in the lower left hand corner of the screen.

Another attack vector has been through tax preparers, such as TurboTax. TurboTax has been hacked in the past and attackers may know who uses it. They can, therefore, send you an email like the following.

turbo fake

Again, it looks good. Don’t believe the ‘From’ address because that may be hidden. Hold your cursor over that to see if the sender is who they say they are. Check the link in the same way. If you are a TurboTax customer, you could easily be fooled into clicking on the link and either filling out a fake form or having malware installed on your device.

The latest scam that the IRS is warning about is the Form W-2 scam, which is, apparently, spinning out of control. According to IRS Commissioner, John Koskinen, “This is one of the most dangerous email phishing scams we’ve seen in a long time. It can result in the large-scale theft of sensitive data that criminals can use to commit various crimes, including filing fraudulent tax returns. We need everyone’s help to turn the tide against this scheme.’’

So how does it work? A legitimate looking email is sent to someone in a firm or organization’s payroll or human resource department. The email appears to come from top management. It may look like this. It will often look informal.

w2 fake

Here is another variation on the same idea. I would normally mask the sender but Sjouwerman actually gave this scam email to cyber security expert, Brian Krebs, so that he could get the word out.

irs ceo

You can understand why the person receiving this would probably comply with the request. The only thing that stopped the scam from working was that the receiver of the request asked Sjouwerman, in person, if he had sent the request. How many of your employees would have done something similar? Had the person sent the information to the return address, the attackers would have had the personal information on all the company’s employees that is included on a W-2 form, which includes their Social Security Numbers.

According to the IRS, these are the common phrases used in these W-2 phishing emails.

“Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.

Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).

I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”

There are a number of variations on this scam. The IRS has reported that some of these requests are coupled with a request for a wire transfer of money. Apparently, the hackers feel that if they’ve made it this far, they might as well try to get some money thrown into the deal.

One major, and quite effective, variation targets organizations that rely on paperless W-2 forms. The scam targets major U.S. universities at this time, but there is certainly no reason why companies or organizations using wireless W-2 forms could not be targeted in the same way. Here is the actual email which fooled staff at the University of California at Berkeley. Notice that the “From” field has an email address rather than a name to give it some look of legitimacy. The other address is that of a school teacher in Georgia. These names don’t matter. The criminals want the reader to click on the link. The “Click Here” link is revealed by the cursor hover and leads to a site that will compromise the individual fooled into going there.

Original Message:

From: (link sends e-mail) < (link sends e-mail)> Date: January 6, 2016 at 5:53:32 AM PST To: undisclosed-recipients:;


Dear: Account Owner,

Our records indicate that you are enrolled in the University of California paperless W2 Program. As a result, you do not receive a paper W2 but instead receive e-mail notification that your online W2 (i.e. “paperless W2”) is prepared and ready for viewing.

Your W2 is ready for viewing under Employee Self Service. Logon at the following link:

Click Here to Logon

If you have trouble logging in to Employee Self Service at the link above, please contact your Payroll Department for support.

If you would like to un-enroll in the Paperless W2 Program, please logon to Employee Self Service at the link above and go to the W2 Delivery Choice webpage and follow the instructions.

And it doesn’t end there. Recently, the IRS warned that tax preparers may be targeted by clients asking that their refund address be changed. The phishing email may include personal details of a real, but compromised, client. The criminal usually wants the refund sent to a prepaid debit card account.

This is the time of year when most taxpayers are preparing their forms and sending them off to the IRS. They may not be surprised by communications seeming to come from the IRS. They are, therefore, more susceptible to scams. Last year, there was a 400% increase in scams at the end of the tax season and that is expected to occur again this year. It’s good to keep in mind the warning from the IRS.

“REMEMBER: The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. In addition, IRS does not threaten taxpayers with lawsuits, imprisonment or other enforcement action.”

You’ve been warned. But if you fall for the following scam, you deserve no pity.

irs simple

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s