Every year, there's no shortage of attempts by cybercriminals to hijack tax season. Last year, the IRS uncovered $2.3 billion in tax fraud. These scams go after both tax preparers and taxpayers. In a pandemic year, there's an even higher level of risk simply because when people are overburdened, it's more likely for their guard to be down. In fact, as the latest Fortinet threat report found, 2020 was a banner year for cybercriminals.

Individuals e-filing tax returns are at risk – and the IRS estimates that roughly 90% of returns filed for 2020 will be done electronically. Fortunately, by knowing what to watch out for and making sure you're following security best practices, you can keep yourself – and your funds – safe.

Always verify

Impersonation of IRS officials is an age-old tactic; the method of delivery may change, but the motive's the same. Most of today's tax scams involve either directed phishing email campaigns or, more typically, calling individuals and claiming to be an employee of the IRS or a collection agency hired by the IRS. Many times, these scammers even know the victim's Social Security number and address because this information has been stolen or purchased by the scammers. Many even spoof IRS caller IDs to appear legitimate.

Typically, the IRS uses the U.S. Postal Service to contact taxpayers, though there are some circumstances when they will call or make a visit – but these are usually preceded by a mailed notice. As the IRS makes clear on its website, an IRS official will not call you and demand a prepaid debit card, gift card or wire transfer or other specific payment methods. Typically, the IRS will first mail a bill to any taxpayer who owes taxes.

The IRS also will not require you to pay taxes without the opportunity to question or appeal the amount they say you owe, nor will the agency threaten to bring in local police, immigration officers or other law enforcement to arrest you for not paying. Your immigration status, driver's license and/or business license cannot be revoked by the IRS. Any sort of communication you receive purporting to be from the IRS that uses any of these threats is a scam.

Keep your personal information safe and protected

Basic cyber hygiene is always essential, but it's especially important to keep it in mind when it comes to e-filing taxes, given the sensitive information involved. One cornerstone of cyber hygiene is creating strong passwords; another has to do with where you're accessing the internet from.

  • Don't use easily obtainable information like your birthday or phone number, for instance.
  • Don't use the same password for multiple accounts
  • Make sure your passwords are at least 10 characters long: You may want to use a password manager to generate unique, long, complex, easily changed passwords for all your online accounts.
  • Use secured WiFi networks: Given the current pandemic situation, it's unlikely you'll be sitting around for hours in a coffee shop using their WiFi network to fill out your tax forms, but the sentiment stands – don't use unsecured public WiFi networks to file your taxes.
  • Don't forget to leverage free cybersecurity training that exists out there to educate yourself.

Another important hygiene practice is to diligently watch out for phishing attempts. A common approach that bad actors use is to send emails designed to look like they came from the IRS, using subject lines meant to prey on your emotions, such as "URGENT ACTION REQUESTED NOW." As we'll see in the next section, these types of emails should set off your Spidey senses – don't click links!

tax1 Tax season stressing you out? Here's what to do about it. Photo: pixabay.com

Trust your instincts

If you do get contacted by someone purporting to be from the IRS, don't give the person your financial or other personal information. If it's actually the IRS, they already have a lot of your information on file and will only request specific information through the mail. Write down the details of the call – the phone number, name of the caller and any other details that they might give you. If you have been contacted by email, do not click on any attachments or links. Instead, take a screenshot of the information and then delete the message.

Then, report the call or email. You can file a complaint with your local police, who probably have a fraud prevention program. You can also file a complaint with the Federal Trade Commission at ftc.gov/complaint or with the Treasury Inspector General at tigta.gov. Share with them all the information you gathered about how you were contacted and what was said.

Report any emails claiming to be from the IRS by sending the screenshot you took to phishing@irs.gov. 

Be alert and informed

To update the famous adage, there's a third thing in life that's certain – malicious actors. And malicious actors will find any opportunity to prey upon people, including tax season. With the extended tax deadline of May 15, cybercriminals have even more time to test out their tricks. Fortunately, falling victim to a scam isn't a certainty. Use the best practices noted above to stay safe and secure from tax fraud schemes no matter how they come to you.

(Aamir Lakhani is a cybersecurity researcher and practitioner for Fortinet’s FortiGuard Labs)