In response to the Internal Revenue Service (IRS) warning against tax-based phishing attempts, the city of Philadelphia released cybersecurity recommendations. In day two of the annual Dirty Dozen tax scams campaign, the IRS again includes a warning about phishing and smishing schemes where cybercriminals try to steal a taxpayer’s information through scam emails or text messages.

The Dirty Dozen is an annual IRS list of 12 scams and schemes that put taxpayers and the tax professional community at risk of losing money, personal data and more. Some items on the list are new, and some make a return visit. While the list is not a legal document or a formal listing of agency enforcement priorities, it is intended to alert taxpayers, businesses and tax preparers about scams at large.

The city made the following recommendations: 

Taxpayers and tax professionals should be alert to fake communications posing as legitimate organizations in the tax and financial community, including the IRS and states. These messages arrive in the form of an unsolicited text or email to lure unsuspecting victims to provide valuable personal and financial information that can lead to identity theft. There are two main types:

• Phishing is an email sent by fraudsters claiming to come from the IRS or another legitimate organization, including state tax organizations or a financial firm. The email lures the victims into the scam by a variety of ruses such as enticing victims with a phony tax refund or frightening them with false legal/criminal charges for tax fraud.
• Smishing is a text or smartphone SMS message that uses the same technique as phishing. Scammers often use alarming language like, “Your account has now been put on hold,” or “Unusual Activity Report” with a bogus “Solutions” link to restore the recipient’s account. Unexpected tax refunds are another potential target for scam artists.

The IRS initiates most contacts through regular mail and will never initiate contact with taxpayers by email, text or social media regarding a bill or tax refund.

Never click on any unsolicited communication claiming to be the IRS as it may surreptitiously load malware. It may also be a way for malicious hackers to load ransomware that keeps the legitimate user from accessing their system and files.

Individuals should never respond to tax-related phishing or smishing or click on the URL link. Instead, the scams should be reported. The report should include the caller ID (email or phone number), date, time, time zone and the number that received the message.