Tax season is a bonanza for identity thieves. While the IRS has been grappling with ID thieves for years, the Social Security Administration (SSA) has reported its first phishing attempt. Here’s what you can tell employees now.
irs.gov—always a target-rich environment
Tax returns have all the information an ID thief needs. So it’s not surprising that the IRS’ website has been the main target of phishers for years. Phishers’ phony websites appear identical to the IRS’, but entice taxpayers anxious for their refunds to divulge personal information, including, crucially, their Social Security numbers (SSNs).
Scammers fake Social Security email
According to the SSA, the phony email that’s floating around has a subject line of “Get Protected.” It reviews new features from the SSA that purport to help taxpayers monitor their credit reports and learn about unauthorized use of their SSNs. It even takes the brazen step of citing the IRS and an official-sounding “S.A.F.E. Act 2015.” It may sound real, but it’s 100% bogus.
How to tell fake government websites
Phishing emails have one purpose—to motivate recipients to click on the embedded link. Once clicked, malware—like viruses and spyware—can be installed on their computers. Or the link might send recipients to a spoof site—a look-a-like website set up by the scammer to trick recipients into entering their personal information.
Here are some clues about how to tell a fake IRS or SSA website or email:
- The website or email contains misspellings, grammatically-challenged text or aggressive language regarding tax collection activities
- The email ends up in recipients’ spam folders
- Recipients are invited to click through and provide their SSNs
- URLs end in .com, .org or .net.
Help employees help themselves
Employees who are unsure whether an email is a legitimate federal agency communication should contact that agency directly, but they should find the agency’s contact information themselves. Employees can click on www.usa.gov/federal-agencies/a to find the agency they need to contact.
Employees who want to track their tax refunds online can go to https://www.irs.gov/Refunds. Also, remind employees that the IRS never contacts taxpayers by mail, phone or email, and never asks them to disclose personal information. Finally, report suspected phishing attempts to the IRS at https://www.irs.gov/uac/Report-Phishing.
As for other phishing attempts, tell employees to report them to the Federal Trade Commission by forwarding the email to firstname.lastname@example.org—and to the real organization impersonated in the email.