In 2022, tax phsihing scams cost consumers $5.7 billion across the United States. This loss is double what it was in 2021; experts anticipate it could be even higher this year.
Both consumers and businesses are vulnerable to these tax scams. Thanks to an even more digital environment, it can be more challenging to identify these scams.
Common tax scams
Each tax season the scams return, in slightly altered ways. It’s a great time for scammers to send these emails because they know many people and businesses will email tax forms and share personal information.
However, there are many different scams that they could try. If you receive any of these emails, report them to the IRS website.
One thing to understand about tax (or any) phishing scams is that over 89% of them have one thing in common: the sender is not who or what they claim to be.
A very quick check by Valimail’s domain checker will confirm whether the owner of the domain has implemented DMARC which blocks fake senders. If the domain comes back as red (unprotected), approach the email with a high degree of skepticism. Even if it comes across as green, you’re on much safer ground, but it is still prudent to be on the lookout for these common fraudulent emails.
Recalculated tax refund
This scam becomes more prevalent toward the end of the tax season after most people have already filed their taxes.
In this scam, people will receive an email saying that their tax refund was recalculated due to an error, promising them a larger refund. However, people should always be wary of emails that promise free money.
These malicious emails require you to send your banking information immediately or risk losing the extra money. If you did send your bank account information over, the hacker could withdraw funds from your account.
Another tactic that hackers will use is to threaten you with prison time. They will claim that you falsified your tax reports or that they never received your payment. These emails say that if you don’t send over the money, then you’ll be arrested. They could also ask for fees in cryptocurrency or prepaid gift cards.
The IRS won’t initiate email contact with you about your taxes, so don’t panic. However, domain spoofing and sophisticated scams can make these emails appear legitimate by preying on people’s fears.
Fake tax documents
Many companies send you your tax forms electronically because it’s easier and can save time and money. However, relying even more on these online forms opens the door for many hackers.
Some of them may try spoofing a domain or pose as a bank or an employer and send you a form with malware.
How to protect against tax season scams
One strategy many people use to protect themselves against these scams is double-checking every email. For example, if you get an email to download a tax document, go to the website and verify that a document is available on your account.
If someone asks for money or personal information, you can verify the sender’s identity. If they send an email, send them a text message or call them. This two-step verification ensures you don’t accidentally send information or money to the wrong person.
While training employees and consumers on spotting and avoiding phishing scams is one of the most common prevention methods, it’s not enough. People still fall victim to these scams, especially since they are increasingly sophisticated.
One effective way to stop these scams is to protect your domain with DMARC.
How DMARC can help
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a protocol that ensures the domain in the header matches the domain that was used to send the email.
This is the most effective way a domain owner can ensure that no one can spoof their domain and send phishing or scam emails. In fact, in the first half of 2022, DMARC stopped over 90 million phishing attacks from being sent in the first place.
When a domain has DMARC enforcement in place, the people who receive the email can trust that it came from the person who sent it. This stops the bad emails at the source. While hackers can still send emails from a lookalike domain, they can’t send emails from your domain.
This all sounds great, right? You might be wondering why every domain owner doesn’t do this. Well, it can be challenging to implement because of how technical it is. That’s where Valimail comes in.
We make it easy to implement DMARC and automate the process so that once your domains get to enforcement, they stay at enforcement. If you want to take the first step towards locking down your domain, sign up for a free Valimail Monitor account today.