Picture of Christopher A. Hopkins, CFA

Christopher A. Hopkins, CFA

Phishing, Smishing and Vishing: Fraudsters feast at tax time

Tax filing season presents scammers with a target-rich environment, and despite stepped-up education and prosecution by enforcement agencies 2023 promises to be another productive year for the bad guys. Once again, the IRS is warning taxpayers to be on the alert for increasingly aggressive and convincing fraud schemes as the filing deadline approaches.

Each year since 2005, the Internal Revenue Service has published its “Dirty Dozen” list of the top 12 scams perpetrated against taxpayers and tax preparers that can result in financial losses and increase the odds of identity theft. The 2023 list includes some new threats as well as a few golden oldies. As in prior years, the uptake is that most of these incidents are avoidable by adopting simple security practices and questioning unsolicited communications.

Financial fraud has continued to outrun the ability of law enforcement to contain it even against more aggressive efforts to detect and prosecute the perpetrators. According to the Federal Trade Commission, consumers lost $5.8 billion to financial fraud schemes in 2021, the latest year for which data is available. Meanwhile, the IRS reports that over 90% of tax returns are now filed electronically, increasing overall efficiency but also creating more opportunities for online chiselers to intervene. And guess what: COVID strikes again, as the panoply of temporary refundable tax credits intended to aid consumers through the pandemic have proven to be attractive targets for bad actors and spawned some new additions to the Dirty Dozen.

Email, text, and phone attacks to steal taxpayer information remain a growing threat. Phishing schemes involve emails purporting to be from the IRS or another legitimate entity that attempt to entice recipients to surrender personal information or subscribe to fraudulent schemes. Phishing emails often include links or attachments that if followed can surrender personal information to the criminal and potentially lead to identity theft. While phishing attempts are sometimes obvious from poor spelling or grammar, the use of artificial intelligence has improved their quality and made detection more difficult.

Smishing is a similar technique using SMS text messaging to hook unsuspecting victims. Common tactics include phony alerts indicating a hold on an account, a report of “unusual activity”, or threat of enforcement action prompting the victim to click on a dangerous link. Vishing, as you may gather, is the use of phone or voicemail messages to threaten or cajole a taxpayer into giving up information or signing up for a bogus service and often also leads to identity theft.

The IRS urges consumers not to click on unsolicited links or respond to voicemails without verifying the identity of the sender. It is important to understand that the IRS generally contacts taxpayers only by mail, and the agency never initiates contact by email, text or social media regarding a bill or a tax refund. Phishing attempts should be reported by forwarding the email or a copy of the text message to [email protected].

Another dastardly entrant into the Dirty Dozen is a surge in scammers offering “help” to taxpayers in setting up their account online with the IRS. A legitimate Online Account at is a helpful resource in tracking tax filings and refunds as well as previous payments and correspondence, and the account can be easily created by the individual. This year, scammers are posing as a “helpful” third party and offering assistance to consumers in setting up their Online Account, then stealing the information. No help needed, thank you.

Refundable tax credits have provided a new target for the crooks. In particular, a host of con artists are encouraging businesses to apply for special COVID credits to which they are not entitled. The airwaves have been bombarded with ads for payroll tax credits to support employers who suffered economic losses due to COVID. These Employee Retention Credits (ERC) are available under certain limited circumstances if the losses were not previously recovered through the PPP program. While there are certainly legitimate companies that have successfully advised small businesses in claiming appropriate credits, some of these promoters have not properly explained the qualifications or have encouraged businesses that do not qualify to file. In addition, some of these miscreants have captured taxpayer information. The IRS reminds business owners to rely on their trusted tax professional in determining eligibility for tax credits.

The Dirty Dozen also warns taxpayers to beware of shady tax preparers. Some consumers report being “ghosted” by unscrupulous quacksalvers who pop up to provide poor advice or worse and then disappear. These ghost preparers refuse to sign the tax return or ask the consumer to sign a blank tax return, may charge a percentage of the estimated refund as payment, and sometimes falsify the return to increase their fee. Legitimate tax professionals have an IRS Preparer Tax Identification Number or PTIN, which you can verify at

Legitimate tax professionals are also happy to discuss their own cyber security protocols to safeguard your data. Personally identifiable information should only be transmitted to and from your tax preparer by a secure portal or encrypted email utility, which your preparer can provide to you.

Swindlers take advantage of honest consumers by leveraging what security experts call FUD: fear, uncertainty, and doubt. Tax time can heighten all three and calls for extra attentiveness to avoid becoming a victim.

Share this post