Risk & Fraud

How to Protect Your Members from Phishing Scams During Tax Season

By: Gene Fredriksen, Security Strategy Consultant

Most people do not look forward to tax season. However, groups of financial fraudsters can’t wait for it to get started. This is the time of year when scam artists will try to take advantage of taxpayers’ stress and concerns – especially the elderly, who may not have technical experience – by pretending to be the IRS and deceiving them into unknowingly providing their personal and financial information.

Detecting and Preventing Phishing Scams

Many taxpayers become anxious about possible errors on their returns, which could make them susceptible to calls and emails from tax scammers. Credit unions can help prevent their members from falling victim to phishing scams by educating them about the warning signs.

  • The IRS will not initiate contact with a taxpayer by email, nor will they send a message via text or on social media. Any requests for financial and account information, passwords or similar information for credit cards via these channels should be ignored, deleted or reported to the IRS.
  • The IRS also doesn’t call to demand immediate payment using specific methods like prepaid debit cards, gift cards or wire transfers. Generally, the IRS will first mail a bill to taxpayers who owe taxes. The taxpayer can then call the number on the bill to verify the contact actually came from the IRS.
  • Over the past several years, the IRS has reported a new email phishing scam. The email subject line may vary, but recent examples use the phrases “Automatic Income Tax Reminder” or “Electronic Tax Return Reminder.” Clicking on a link in the email takes users to a site that looks just like an official IRS site. When users try to access links on those sites, malicious files are downloaded to their computer. By infecting computers with malware, the imposters can gain control of the user’s computer or secretly download software that tracks every keystroke, eventually obtaining passwords to sensitive information, including financial accounts. All of this can take place without the user’s knowledge.

As always, your members’ awareness is the first line of defense. Antivirus and other technical controls can help keep computers secure, but they can’t replace personal knowledge. If an email looks suspicious, it probably is. Think of it like a stranger stopping you on the street and asking for your personal financial data – and unsolicited email is the electronic equivalent of this scenario. The simplest and most effective defense is to ignore these solicitations.

The IRS provides excellent training and reporting systems available on their website. You can visit their Report Phishing and Online Scams page for more details.

Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO, the principal cybersecurity consultant with PureIT CUSO, and has also held the positions of CISO for PSCU, Global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, vice president of technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.

He served as the chair of the security and risk assessment steering committee for BITS, and also served on the R&D committee for the financial services sector steering committee of the Department of Homeland Security. He also served as an advisor on various cybersecurity steering committees for the administrations of George W. Bush, Bill Clinton and Donald Trump, assisting in the preparation of the president’s Cybersecurity Position Paper.