Beware! It’s Not the IRS Texting, Emailing, or Calling You

There are many compelling reasons why tax returns are valuable to hackers, but all are related to monetary gain. Tax returns are dense with personal information, including social security numbers, dependents’ PII, property addresses, and bank account information. This information can be sold on the dark web or used in future social engineering attacks that could lead to account takeovers and ransomware. The most lucrative way to monetize tax returns is to file fraudulent returns for refunds. Stolen Identity Refund Fraud (SIRF) is a million-dollar business run by organized cybercriminals with millions of fraudulent tax returns filed every year.

Once a hacker has the PII from a tax return, it can be used for SIRF, financial theft, medical theft, and it can be used or sold for spear phishing, account takeovers, ransomware, and it can even be used to start a cyberattack on your place of work. According to an article in, cybercriminals are attracted to tax scams because “cybercrime groups have learned that tax season is a real bonanza and their efforts only require social engineering to pull off the scam.” The article reminds users, “The IRS does not contact taxpayers by sending an email, text or social media to request personal or financial information.”

TechRepublic highlights the most common scams in their article warning consumers and businesses of common scams during tax season. “One of the most common scams involves criminals posing as tax authorities or members of a company’s accounting department. The attacker uses social engineering to obtain tax-related data such as social security numbers or personal bank account details.”

A recent article Dark Reading highlights the latest tax scams to watch out for this year and includes examples of SMS, Emotet tax-themed phishing, email, and voice scams. There are thousands of live malicious “tax-themed” threats in SMS, email, and on the web. Most focus on identity theft, credential stealing, BEC, and account takeover. These social engineering threats ask people to upload their 1040 to verify their identity. Tax returns are rich with personal information, including social security numbers, addresses, dependants PII, and sometimes bank account information.

Examples of the Latest Phishing Threats Related to the IRS
Here is just a taste of the threats SlashNext Threat Labs have been seeing over the past few weeks. As with most phishing, these are credential stealing, and many have very convincing URLs and very good IRS imposter sites.

BEC Phishing Scam

SMS Text

Your IRS tax refund has been denied. Click here to file a review in 24 hours: http://bit[.]ly/sdfsd5The page asks the user to upload their tax returns to verify their identity.


SMS Text and Vishing Scams 

New Emergency Notice from IRS. Free Evaluation on Your National Debt Relief Call 1-800-098765.

Your IRS tax refund has been denied. Click here to file a review in 24 hours: http[:]//bit[.]ly/sdfsd5

New Emergency Notice from IRS. Free Evaluation on Your National Debt Relief Call 1-800-098765

Last Reminder, YOUR CONFIRMATION REQUIRED. Congratulations! You’ve been selected by the IRS please verify your information $20K Debt Required. Confirm now by calling at 1-800-0987-12

You still have an outstanding tax refund from last year. Please visit our secure link to process https://tax[.]refund[.]t5r[.]com/

You still have an outstanding tax refund from last year. Please visit our secure link to process https://tax[.]refund[.]t5r[.]com/” 

The page asks users to upload their tax returns to receive their tax refund.

What You Can Do to Protect Yourself
Beware of any SMS text, email, or phone call from anyone claiming to be from the IRS. Check URLs for the accurate IRS website ( Ensure you type the correct URL into your web browser to avoid typo-squatter websites impersonating the IRS. Protect your mobile devices and computers with anti-phishing and anti-malware protection. SlashNext Email Protection for Microsoft365 stops 65% more spear-phishing, BEC, malware, and ransomware link threats than all other cloud-native email security services. SlashNext zero-hour protection in real-time through patented AI-powered detection delivers a 99.9% detection rate with Live Scan identifying zero-hour threats in real-time. Incredibly quick time to value with the first incident identified in 1 hour or less and protection against phishing emails using URLs trusted domains that evade SEG technology

Start a Risk-Free Trial Today



It’s Time to Get Started with SlashNext

Experience the difference with broad phishing threat coverage and automated delivery.

Close Menu

Compare SlashNext HumanAI™ with your current email security solution for 30 days

SlashNext Observability Report