Tax Season Security Tips

There is an uptick in phishing, scamming, and other online fraud during tax time, and lots of bad actors love to catfish as the Internal Revenue Service. By following some simple best practices, though, you can keep the hackers’ mitts off your refund. 

Keep your security strong this tax season 

By following a few, easy-to-adopt cybersecurity habits, you can make it much harder for scammers to ever gain access to your information.  

Enable multi-factor authentication (MFA)

Use multi-factor authentication (MFA) wherever possible. MFA (also called “two-factor authentication” or “2FA”) will fortify your online accounts by creating an extra layer of security, such as a fingerprint scan or a unique one-time code sent to your phone. Most major email and online tax preparation services have this tool available. Even if hackers somehow get ahold of your password, MFA keeps your accounts locked down.

Be aware of “MFA fatigue,” too. Of course, if you get an MFA notification that you are trying to log into an important account (like your tax preparer’s platform), and you didn’t make the request, DO NOT grant access. Scammers sometimes will bombard you with MFA requests, hoping you will accept the bogus requests to enable them to gain access. If you didn’t expect the request, DO NOT grant access.  

Contact the company to see about next steps, which might involve changing your password or other security measures.   

Get your Identity Protection PIN

You can get a special Identity Protection PIN (IP PIN) from the IRS to keep your online tax information secure. An IP PIN is a six-digit number that prevents someone else from filing a tax return using your Social Security number. The IP PIN is known only to you and the IRS and helps verify your identity when you file your electronic or paper tax return. Protect your IP PIN as you would other sensitive information. 

File early to give scammers the slip 

We recommend filing your taxes as early as you can. The sooner you can file, the less time cybercriminals have to file a fake return and try to nab your refund. As they say, an ounce of prevention is worth a pound of cure, and it is much harder to try to get back all of your return after having your identity stolen than it is to file early. While having your refund routed illegally to a scammer’s bank account isn’t common, getting done with your taxes ASAP reduces the chances of this type of disaster even more. Even if you aren’t expecting a refund, you should get your taxes done early, because hackers can forge documents that make it seem like you are owed a refund – which they’ll send to their bank account. Filing early strips them of time.     

Red flags of IRS scam 

It might not be the sexiest choice, but scammers love to catfish as the IRS. Unsolicited emails, calls, texts, or direct messages that prompt you to share valuable personal and financial information are very likely scams. With your personal data, online thieves can swindle funds and commit identity theft.  

What do real IRS communications look like? 

The biggest red flag that you are being targeted for an IRS scam is that you get a phone call or message from a supposed-IRS representative without receiving any mail from the agency. Contact from the IRS is initiated via the United States Postal Service. The IRS might call after it has sent you physical mail first, especially if you haven’t responded to multiple letters. An IRS agent might also visit you in person. 

The IRS will not email, text, or DM you. They won’t try to friend you on Facebook or swipe right on you on Tinder. This is true for most government agencies in the U.S.  

Criminals impersonating federal employees can be very convincing by using fake names, presenting fake credentials, or spoofing telephone numbers. If you are unsure if the caller is legitimate, hang up, look up the direct number for the agency online, and call that agency to verify. 

A real IRS agent WILL NEVER demand you make an immediate payment to a source other than the U.S. Treasury. Unscrupulous callers claiming to be federal employees can be very convincing by using fake names or phony ID numbers. If you are unsure if the caller is legitimate, hang up, look up the direct number for the agency online, and call that source to verify. 

More red flags 

• Requests for data: Be extremely suspicious of any communications that ask you to provide personal information such as bank account information, Social Security numbers, login credentials, or mailing addresses. Cybercriminals will often impersonate the IRS in phishing campaigns.   
• Urgency: Scammers use an abnormal sense of urgency and other scare tactics to obtain information. Their goal is to make you panic and stop thinking clearly. 
• Attachments: Watch out for any message that includes an attachment, such as a PDF. Never open attachments from a suspicious or unknown email address. It may download malware or viruses onto your device. 
• Phishing as tax preparers: Along with the IRS, scammers will also imitate popular tax programs like TurboTax and H&R Block to try to snag your financial information. These companies will never contact you through phone, email, or text asking for your login information, or for you to give them an MFA code that you didn’t request.  

What to look for in a tax preparer 

Unless you are a tax code aficionado yourself, working with a professional tax preparer is the best way to avoid audits and ensure you get the maximum refund. However, because this person or business will have access to some of your most sensitive information (from your Social Security number to your bank statements), you need to due diligence that they will keep your data, and money, safe.  

Research is worth it 

Vet your tax preparer before handing over information. Ask what steps they take to protect your information. Businesses of all sizes are susceptible to cyberthieves, so it is critical to choose a preparer who takes security seriously. Here are some specific questions you can ask: 

• How will we exchange files and sensitive information?  
• Who at your firm will have access to my data?  
• Are our communications end-to-end encrypted?  
• What types of network security have you implemented?  
• How do you back up client data?  

Securely send documents  

When it comes to data privacy, sometimes the old ways are best – one of the most secure ways to transfer your most sensitive documents is physically, either delivering them in-person or through the mail. When communicating with your tax preparer digitally, use encrypted email services, which is now common on major email platforms. Encryption protects the email contents from being read by entities other than the intended recipients. Also, only use a secure portal to upload documents to your tax preparer, which also use encryption to restrict access to files.  

Back it up  

Like any important documents or files, you should back up everything related to your taxes. Make electronic copies (such as scans or photos) of your tax documents. Back up all your files on the cloud, an external hard drive, or both. Ideally, you will have the original paper copy and multiple digital copies. One of these digital copies should be located away from the rest, either online in a secure cloud system or on a hard drive locked in a safe.  

Report scams 

If you think you are the victim of a tax scam, report it right away. The sooner you report the incident, even if you aren’t totally sure, the better your chances of recovering your cash.  

• Victims of identity theft: IRS Identity Theft Central 
• Treasury Inspector General for Tax Administration (TIGTA): Report IRS-related impersonation  
• IRS, Treasury, and tax-related online scams: Report Phishing 
• IRS CI: Report Tax Fraud 
• FTC: Report Fraud  
• IC3: Report Cybercrime