Fortinet FortiGuard Labs, Fortinet's global threat intelligence and research organization. Photo: Fortinet

For cybercriminals hunting for easy prey, tax-return time is open season—and if you aren’t careful, you could find yourself in their crosshairs. Every year around this time, we see an increase in social engineering attacks on stressed-out, deer-in-the-headlights individuals preparing to file or receive their annual tax returns. 

Social engineering is defined as an array of attacks where cybercriminals manipulate victims using human interaction and emotions. The attacker’s goal is to fool the victim into revealing sensitive information that can then be used to compromise security, access systems, and steal valuable assets.

An Attack in Stages

One of the hallmarks of a social engineering attack is that it is done in stages. This is a typical step-by-step example from the social engineering playbook: First, identify a “good” potential victim based on demographics like employer, occupation, location, age, etc. 

The traditional targets for tax refund scams are immigrants, small business owners, people under 25 or over 60. Cybercriminals believe these groups of people are sometimes more vulnerable to manipulation because they may have little or an incomplete understanding into how government agencies and tax systems work.

The second step in the process is for attackers to research the potential victim’s background via social media and/or Google searches. The scammer’s goal is to compile as much personal information as possible. Third step is to gain “the mark’s” trust over a period of time in different ways, like sharing common interests or experiences, etc. The fourth step is to leverage the data gathered and the friendship bonds—even if newly established—to manipulate the mark into divulging sensitive information or violating security policies.

Scam-a-lot: The Many Methods for Social Engineering

Attackers use different avenues for connecting to and scamming victims. Some of the most common methods are phishing emails, smishing (phishing text messages), and vishing (voice phishing) phone calls. During tax season, scammers tend to impersonate officials from the Internal Revenue Service (IRS), or a state or local government tax departments, or a financial institution, or a collection agency. 

Scammers may use the personal information they have compiled along with stolen data to appear real and legitimate. As social engineers become more sophisticated and empowered by having a substantial amount of the individual’s personal information, they can become very convincing in their efforts to hoodwink their targets.  

Social engineering scams are the attack-du-jour during tax season. However, there are precautions you can take to avoid becoming a victim.

How to Avoid Social Engineering Scams

If you know how to handle suspicious emails or phone calls, you can probably avoid becoming a victim of this tax season’s social engineering attacks. Fortinet’s FortiGuard Labs team has already found scams related to tax season out on the Internet. Consider the follow tips for effectively defending yourself: 

  • Look for errors. Scammers’ emails and texts tend to have mistakes, include grammatical issues, typos, and odd or unnatural words choices. If the content seems like it was written by someone not communicating in their native language, there’s a good chance it is a phishing attempt.
  • Keep your B.S. meter activated. Be suspicious of all unexpected emails or phone calls claiming to be from the IRS or other governmental agencies or authorities. If something seems wrong or too good to be true, trust your gut instinct. Don’t provide sender or caller with any personal information without verifying their authenticity.
  • You don’t need to share with strangers. It’s natural for many people to want to share personal information. It may feel rude, but you must shut down requests with a simple, “No, I am not going to tell you my Social Security or credit card numbers.” You must resist scammers pressure tactics, especially if they try to convince you that something terrible will happen if you don’t cooperate immediately.
  • But it’s good to share with family, friends, and the IRS. If you become aware of a social engineering campaign via first-hand experience or via some other reliable source, be sure to inform you family and friends about it. Share your experience with colleagues too, so that everyone in your personal and professional networks can keep their guard up. 

    NOTE: You can directly report IRS-related phone or email scams to the Treasury Inspector General for Tax Administration using the form on the IRS Impersonation Scam Reporting website or by sending an email to with the subject line “IRS Impersonation Scam.”
  • Use cybersecurity to help prevent attacks. There are many cybersecurity solutions on the market tailored for consumers and organizations of all sizes that can help shield email accounts and devices from cybercriminal attempts, including social engineering. 

Free Cybersecurity Awareness Training

The Fortinet NSE Training Institute offers free cybersecurity awareness training that covers key cybersecurity terms, the cybercriminal’s motivations, attack methods, and protection tactics. Whether you know very little about cybersecurity or already have a career in IT, these courses are designed to give students a foundational and advanced understanding of cybersecurity tools and principles as well as the threat landscape. 

Learn more about the Fortinet free cybersecurity training initiative, the Fortinet NSE Training program, Security Academy program, and Veterans program.