The Internal Revenue Service (IRS) is warning taxpayers about a significant rise in so-called 'smishing' attacks consisting of IRS-themed texting scams designed to steal personal and financial information. Smishing attacks target mobile phone users by delivering scam text messages offering fake COVID relief, tax credits, or other benefits.
The IRS does not send emails or text messages asking for personal or financial information or account numbers, the agency says.
So far in 2022, the IRS has identified and reported thousands of fraudulent internet domains responsible for multiple IRS-themed smishing attacks. Recently, these attacks have increased exponentially.
Mobile Phones Targeted
Smishing, a text-oriented form of phishing, is a scam with the goal of getting you to give up personal or financial information, including account numbers. Because smishing uses text messages, mobile phones and other MMS/SMS devices are the primary targets.
The scam messages often appear to be coming from the IRS and offer such things as COVID relief, tax credits, or help setting up an online IRS account, according to the agency. The texts often ask recipients to click a link where the fraudulent website tries to collect personal information or send a malicious code to the phone.
Increase in Text Scams Began in 2020
The IRS first noticed an increase in reports of smishing in the fall of 2020. The reported attacks, which always asked for personal and financial information, continued through the COVID pandemic. In addition to an extensive warning campaign, the IRS has posted a video about how to avoid IRS text message scams.
Beginning in the fall of 2020, the IRS observed an increase in reports of smishing scams requesting taxpayer personal and financial information. These smishing campaigns continued through the pandemic. The IRS has taken numerous steps to warn people of this ongoing threat, including posting a video about how to avoid IRS text message scams.
As the IRS ramps up its efforts to shut down online fraud, criminals are evolving new tactics. One includes using algorithms to automatically generate hundreds or even thousands of fraudulent domains. The agency reports that a recent smishing campaign used just three dozen stolen or bogus email addresses to create over 1,000 fraudulent domains.
With the approach of October's Cybersecurity Awareness Month, the IRS and the Security Summit partners in the states and the nation's tax community remind people and the tax professional community to be on the lookout for phishing scams and other schemes that could put sensitive tax data at risk.
How to Report a Smishing Attack to the IRS
The IRS maintains an email inbox (email@example.com), to collect and process IRS, Treasury, and tax-related online scams. Smishing involving other government agencies or private brands should not be reported to firstname.lastname@example.org.
If you receive an IRS-related text scam, report it to email@example.com.
Reporting IRS-themed texts to the IRS lets IRS security personnel track and disrupt these scams. Your report to the IRS should include both the body of the message and the sender's information in one email or text. Copying the actual text into an email is best but screenshots are also permissible.
To report a smishing attack, the IRS says to do the following:
- Create a new email to firstname.lastname@example.org.
- Copy the caller ID number (or email address).
- Paste the number (or email address) into the email.
- Press and hold the SMS/text message and select "copy".
- Paste the message into the email.
- If possible, include the exact date, time, time zone, and telephone number that received the message.
- Send the email to email@example.com.
Taxpayers should continue reporting these scams to firstname.lastname@example.org. Their reporting allows the IRS to report these scams to the appropriate service providers for action, protecting other taxpayers who might receive a variant of the same scam.
Additional Reporting You Can Do
In addition to reporting the scam to the IRS, IRS-related scams can be reported to the Treasury Inspector General for Tax Administration using the IRS Impersonation Scam Reporting form and the Federal Trade Commission (FTC) through their Complaint Assistant. This will make the information available to investigators at those agencies.
You can also copy and forward scam texts to your wireless provider by texting it to 7726 (SPAM). This allows providers to spot and block these messages in the future.
October Is Cybersecurity Awareness Month
With the approach of October's Cybersecurity Awareness Month, the IRS and the Security Summit, a coalition of state tax agencies and private sector tax businesses, is reminding taxpayers and the tax professional community to be on the lookout for phishing and smishing scams as well as other other schemes that could compromise sensitive tax data.
In addition, the IRS has joined with representatives of the software industry, tax preparation firms, payroll and tax financial product processors, and state tax administrators to combat other crimes including identity theft refund fraud to protect taxpayers.
The Bottom Line
Vigilance is the bottom line. Don't click on links in texts, especially if you suspect they are not from a legitimate source. Government agencies such as the IRS do not send texts asking for personal or account information.
It can be difficult to tell if a text is legit or not. When in doubt, report the text via the information listed above. Then contact the IRS directly to find out if it has been trying to contact you.