Tax season is stressful enough without having to worry about becoming the victim of a cyber crime. Here are three different tax phishing scams targeting employers, individuals, and even tax preparers that are currently making the rounds.

Employers: W-2 Phishing Emails

The W-2 phishing scams that have plagued employers for a couple of years are back with a vengeance. The IRS noticed a significant uptick in these tax phishing scams beginning in January and recently issued an official warning. Also known as spear phishing or business email compromise (BEC) scams, these campaigns differ from traditional phishing scams in that they are highly targeted. They are sent to specific employees within organizations who have access to employee tax data, usually human resources personnel, and often appear to come from a company executive. Occasionally, the IRS reports, the email will request a wire transfer along with employee W-2 data.

Individuals: Phony “Tax Notification” Emails

While the hackers behind this particular scam are not seeking tax ID data, they are harnessing the stress of tax season and victims’ fear of the IRS to get them to click on phishing links. The targets are Microsoft 365 users, and Dark Reading reports that “tens of millions” may have received the emails. The messages purport to be from the IRS, warn recipients that there is some sort of problem with their taxes and that dire consequences will result if they do not take immediate action, and include attachments with names such as “taxletter.doc.” Downloading and opening the attachment installs password-stealing malware on the victim’s machine.

Tax Preparers and Individuals: New Tax ID Theft Phishing Scheme

These highly sophisticated phishing scams are executed in two phases. In the first phase, hackers send traditional or spear phishing emails to tax preparers, which install malware on their computers and allow the hackers to steal client tax and bank account data.

In the second phase, the hackers use the data to file fraudulent tax returns — then have IRS refunds deposited in the victims’ bank accounts. In some cases, the return is filed using one victim’s tax data and the money deposited in another victim’s bank account. The bank account owners are then contacted by someone claiming to be an IRS representative, demanding that they take specific (and irreversible) steps to “return” the money.

Fighting Back Against Tax Phishing Scams

There are several ways to prevent falling victim to these and other tax phishing scams. Organizations should ensure that all employees are trained to identify phishing emails, including spear phishing, have a specific and clear procedure to report suspicious emails, and take all other appropriate proactive cyber security measures. Individuals should also be aware of the warning signs of a phishing email, including text written in broken English and return addresses that appear to be off, such as a government agency with a .com address.

The IRS requests that suspected tax-related phishing emails be forwarded to If you receive an erroneous refund deposit to your bank account, follow the IRS’s instructions for returning it:

  1. Contact the Automated Clearing House (ACH) department of the bank/financial institution where the direct deposit was received and have them return the refund to the IRS.
  2. Call the IRS toll-free at 800–829–1040 (individual) or 800–829–4933 (business) to explain why the direct deposit is being returned.
  3. Interest may accrue on the erroneous refund.
Author's Bio: 

Michael Peters is the CEO of Lazarus Alliance, Inc., the Proactive Cyber Security™ firm, and Continuum GRC. He has served as an independent information security consultant, executive, researcher, and author. He is an internationally recognized and awarded security expert with years of IT and business leadership experience and many previous executive leadership positions.

He has contributed significantly to curriculum development for graduate degree programs in information security, advanced technology, cyberspace law, and privacy, and to industry standard professional certifications. He has been featured in many publications and broadcast media outlets as the “Go-to Guy” for executive leadership, information security, cyberspace law, and governance.