Watch Out for Websites Impersonating Tax Providers and the IRS During Tax Season

Before you click on that email or open that text message — is that really the United States Internal Revenue Service (IRS) or your tax provider? It may not be. 

BlueVoyant has identified dozens of websites impersonating the IRS, posing a risk to online users. These phishing sites likely aim to steal sensitive information by tricking users into believing they are interacting with the legitimate IRS website. Here are some examples of the phishing sites uncovered by BlueVoyant: 

Be vigilant for communications in a formal or 'paragraph essay' format, using a structured approach like 'thesis, point 1, point 2, conclusion,' or an overuse of transition words such as 'additionally,' 'moreover,' and 'furthermore', as LLMs tend to generate responses using these formats and words.  

Also, be on the lookout for language that pressures you to 'act now or else,' as scammers often create urgency to extract information or payments, sometimes under the threat of law enforcement action. It should be noted that the IRS takes these kinds of accusations seriously and has very standardized procedures when attempting to contact an individual. 

AI-generated audio and video often have an 'uncanny valley' effect, where something feels off with the speech pattern, tempo, or language used. If something doesn’t sound or feel right, proceed with caution. For suspected AI-generated audio, hang up and call the IRS or the institution being impersonated directly to verify the communication.

Most importantly, do not click on links in emails and text messages. If you get an alleged text from the IRS, log in to the official website (irs.gov) via your browser. Also proceed with the same process for any tax provider. 

Always check links before opening them. Many of the phishing websites observed by BlueVoyant were hosted on website urls not related to the IRS or a tax provider. For example, one such domain was material-rainbow-echinacea[.]glitch[.]me. While websites may look legit, the domain may be far different than expected. Attackers can rapidly set up tens of websites to create increased volume and make it harder to detect and remediate. 

Train your employees. While attacks like these may seem directed at consumers, many people reuse passwords, so a compromised credential can impact enterprises. Organizations can thwart phishing attacks by training employees to recognize them and providing standard reporting and response actions. Anti-phishing education programs must include ongoing education, awareness campaigns, and mandatory compliance training. 

This training should be part of an overall security culture that continuously keeps employees abreast of standard security practices. It should include standard behaviors, technologies, and processes, helping employees work securely. 

Use multi-factor authentication (MFA) and secure email gateways to protect against phishing attacks, for both personal and enterprise accounts. These measures add an extra layer of security, making it harder for threat actors to gain access to sensitive information. 

If someone suspects their personal data has been compromised or they discover an unauthorized tax return has been filed under their Social Security number, we recommend taking the following actions:

• Contact the IRS: Call the IRS Scam Hotline at (800) 366-4484 immediately. They can quickly check for any suspicious activity and provide guidance on how to proceed with disputes.
• Notify Credit Monitoring Agencies: Inform credit monitoring agencies to place a fraud alert on your credit reports.
• File a Report: Report the identity theft to the Federal Trade Commission (FTC) at IdentityTheft.gov.