It’s a sad state of affairs when every year I have to make several unplanned posts about new fraud surrounding taxes. In the latest attack, it is not a direct attempt to steal our money, but rather our data. According to the IRS:

The Internal Revenue Service and Security Summit partners today warned the public of a surge of fraudulent emails impersonating the IRS and using tax transcripts as bait to entice users to open documents containing malware.

The IRS advisory goes on to warn that these fraudulent emails install a specific type of malware called “Emotet,” which had previously only attacked financial institutions. According to Wikipedia, “Once Emotet has infected a host, a malicious file that is part of the malware is able to …[transmit] sensitive data being compiled to access the victim’s bank account(s).”

You can protect yourself against this malware by ignoring any email that says it is from the IRS — or better yet, visit the agency’s phishing page to find out how to report the sender. If you accidentally open an email that says it’s from the IRS, do not click any attachments.

As tax-fraud season gears up, it’s actually easy to protect yourself if you don’t forget the fundamentals:

  • The IRS will never contact you over email
  • The IRS will never threaten you with imprisonment
  • The IRS will never ask for payment in gift cards or demand an immediate wire transfer

Be safe out there, and contact me with any questions.