The Internal Revenue Service warned of an ongoing IRS-impersonation scam that appears to primarily target educational institutions, including students and staff who have ".edu" email addresses.

The IRS' phishing@irs.gov has received complaints about the impersonation scam in recent weeks from people with email addresses ending in ".edu." The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions.

The suspect emails display the IRS logo and use various subject lines such as "Tax Refund Payment" or "Recalculation of your tax refund payment." It asks people to click a link and submit a form to claim their refund. 

The phishing website requests taxpayers provide their:

  • Social Security number
  • First Name
  • Last Name
  • Date of Birth
  • Prior Year Annual Gross Income (AGI)
  • Driver's License Number
  • Current Address
  • City
  • State/U.S. Territory
  • ZIP Code/Postal Code
  • Electronic Filing PIN

Hank Schless, Senior Manager, Security Solutions at Lookout, says, "At this time of year, attackers will pose as members of the IRS to socially engineer employees into sharing sensitive tax-related information such as social security numbers or bank account information. They’ll leverage a number of tactics including:

  • Sending malicious message attachments that deploy malware onto the employee’s smartphone, tablet, or PC. 
  • Sending fake authentication messages through SMS that convince the employee to enter their login credentials on a malicious site. 
  • Contacting employees over the phone and directing them to download a malicious app or visit a phishing page to access allegedly compromised tax documents. 

Schless adds, "Security teams should be protecting employees across all endpoints to ensure they don’t fall victim to a phishing attack or download a malicious attachment that compromises the organization’s entire security posture. These scams are most effective on mobile devices, and attackers know that and are creating phishing campaigns like this to take advantage of the mobile interface that makes it hard to spot a malicious message. People access their work email on a smartphone or tablet just as much as they do on a computer. Any text, email, WhatsApp message, or communication that creates a time-sensitive situation should be a red flag. Employees should approach these messages with extreme caution or go straight to their IT and security teams to validate it.

According to Rick Holland, Chief Information Security Officer, Vice President Strategy at Digital Shadows, year over year, the scams remain largely the same—fake filling, robocalls, tax fraud, although this year Electronic Filing Identification Number fraud has emerged. "Don't think of tax scams as a consumer problem; it can be a significant enterprise risk. Tax fraud might not be the goal of a tax phishing lure; the goal could be to capture credentials to be used for initial access into your environment. To prepare for tax fraud season, defenders should tailor security awareness training to the threat; the IRS issues fraud alerts that can be incorporated into training.  BEC-specific training should be conducted for finance teams because dollar amounts are much higher when it comes to corporations. Helping to protect your employees in their personal lives will help to protect your company," says Holland.

Joseph Carson, chief security scientist at Thycotic, explains, "The reason why employees still fall for tax scams is quite simple: the emails are so authentic looking it is difficult to tell the difference from the real thing. These scams are so widespread because they work and it is easy money for cybercriminals.  If you have a large target list, and many of the victims are unable to tell the difference between a scam and the authentic notices, then even if a small number of people fall for such a scam, it is still extremely profitable for the cybercriminals. Cybercriminals use a lack of good cyber hygiene, fear of breaking the law and financial penalties if unpaid, as scare tactics which continue to prove effective."

There are many ways to stop these scams from being successful, Carson says. "The quickest is to develop better cybersecurity hygiene by educating employees on ways to detect email scams. Another way to stop and prevent such scams is to use a good email spam filter that will help ensure such email scams do not make it to the email inbox. If an email does make it into the inbox, then go to the website and call the number to check if it is authentic and do not call the number if provided within the email as, most likely, it is fake also. Check the email sender address and not the display name. Check the email for spelling mistakes. Check any hyperlink addresses by hovering over them to see where they send you. However, do not click on the links. Also check your personal details for accuracy. These simple tips can help avoid a potential cybersecurity nightmare."