The Cost of Tax Season Fraud: How Threat Actors Target Your Data and Money

The IRS identified a staggering $5.7 billion in tax fraud schemes last year, over twice the amount reported in 2021.

Default Author Image
March 24, 2023

The IRS identified a staggering $5.7 billion in tax fraud schemes last year, over twice the amount reported in 2021. And with the large amount of personally identifiable information (PII) that is exchanged leading up to Tax Day on April 15, it’s no wonder that threat actors view this time of year as high season for stealing data to exploit people’s vulnerabilities for financial gain. 

Tax-related cyber attacks are on the rise in recent years, making it more important than ever to be aware of the risks and take steps to protect yourself and your organization. The good news is, while new strategies for threat actors to strike emerge each year, the core tactics used to execute these attacks remain the same or variations of tried and true methods.

This means that by understanding the signs of tax fraud and taking proactive measures to safeguard your sensitive information, you can avoid becoming a victim during tax season. Leveraging threat intelligence to stay informed about the latest trends and tactics is critical, and provides your organization with important visibility into the attack vectors to look out for, allowing you to prevent an attack and protect your data and people from a breach.

Why threat actors love tax season

There are several factors that contribute to tax season’s popularity for threat actors looking to scam organizations and individuals.

Data volume

Large amounts of personal and financial information are exchanged in the months leading up to April 15 via tax returns and other related documents. This information can be valuable to threat actors who can use it for identity theft, tax fraud, or other fraudulent activities.

Deadlines for filing

The time-sensitive nature of tax season is also appealing to threat actors, with individuals and organizations feeling pressure to file their taxes quickly, possibly putting them at a higher likelihood to fall victim to scams. In their haste to file their taxes, they may be more likely to fall for phishing attempts or other fraudulent activities.

Increased communication frequency

The potentially increased volume of emails and phone calls during tax season from tax resources, including CPAs, the IRS, and employees’ HR departments, often encourages threat actors to increase their phishing scams and phone scams, which can be used to collect personal and financial information. These scams can be difficult to detect, as they may appear to come from legitimate sources.

Limited resources

The IRS and other tax-related organizations may have limited resources during tax season, which can make it more difficult for them to detect and prevent fraudulent activities. This can create opportunities for threat actors to take advantage of vulnerabilities in the system.

How threat actors strike and profit

There are a variety of ways threat actors attempt to access sensitive data and manipulate individuals into falling victim to their scams.


Threat actors can use “fullz” during tax season to commit tax-related identity theft. “Fullz” refers to a complete set of an individual’s personal information, including their name, date of birth, social security number, address, and financial account information. These sets of data can be purchased on the dark web or stolen through data breaches.

Phishing campaigns

Attackers may use phishing tactics to trick an employee of a company into sharing their W-2 form by sending an email that appears to be from a company’s HR department, requesting that the employee email their W-2 form back to the department. Once the attacker has the W-2 form, they can use the information on it to file a fraudulent tax return in the employee’s name.

Threat actors may also leverage phishing to send emails or create fake websites that appear to be from the IRS or a tax software company, asking for personal information or login credentials.

Other ways in which they may leverage these attacks include:

  • Impersonation: Scammers may impersonate trusted sources, such as the IRS, tax preparers, or other financial institutions, in order to gain the trust of the victim. They may use official-looking logos and language to make the email appear legitimate.
  • Social engineering: Scammers may use social engineering tactics to manipulate the victim into taking action. For example, they may create a sense of urgency by claiming that the victim needs to respond immediately to avoid legal action or penalties.
  • Malware: Scammers may include malware in the email, either as an attachment or a link, in order to infect the victim’s device and steal sensitive information.
  • Data theft: Scammers may request sensitive information from the victim, such as social security numbers or financial account information, in order to commit identity theft or financial fraud.

Fraudulent CPAs

Attackers may pose as tax professionals, either in-person or online, and offer to file a tax return for an individual. They may ask for payment upfront or promise a larger tax refund. Once they have the individual’s personal information, they may use it for identity theft or file a fraudulent tax return.

Fraudulent tax information

Threat actors may try to scam individuals by convincing them to provide false refund information. This type of scam is usually targeted at taxpayers who are owed a refund and can be particularly lucrative for attackers.

Threat actors will normally contact the victim and offer to help them obtain a larger tax refund. They may claim to be a tax professional or an IRS agent. The attacker will ask the victim to provide personal information, such as their Social Security number and other identifying information, as well as information about their income and tax deductions.

The attacker will then file a fraudulent tax return in the victim’s name, routing the refund to an account they control or requesting a check be sent to a fake address. When the victim attempts to file their own legitimate tax return, they are informed that one has already been filed in their name. They may also receive a notice from the IRS that their tax return has been rejected or that there is an issue with their refund.

Ineligible tax credits

Similarly to encouraging victims to provide inaccurate information in their tax filings, threat actors have also been observed attempting to have victims file for credits they are not eligible for by providing false income and personal information. This attack may include threat actors offering to help victims file their taxes in exchange for payment, or pretending to be a tax professional and filing fraudulent returns on behalf of the victim, claiming false deductions or credits, and pocketing the difference.

The IRS has released a statement about this scam, and has warned filers that they are on the lookout for signs that filers are attempting to fraudulently claim benefits they do not qualify for.

Offer in compromise “mills”

Offer in compromise (OIC) mills are companies that claim to help taxpayers settle their tax debts for less than the full amount owed, through the use of an OIC program offered by the IRS. These companies often charge high fees for their services and make unrealistic promises about the likelihood of success. It is important to note that taxpayers can often receive the same deal through OIC mills that they could have gotten by working with the IRS, without the fee.

OIC mills exist as a threat year-round, but tend to ramp up during tax season and after the filing season ends when taxpayers may receive a balance due notice in the mail if they owe additional taxes. Victims who fall for these scams may end up paying high fees for services that are unlikely to be successful, or may have their personal information compromised.

Protecting your organization from tax season threats

Organizations can take several steps to protect themselves, their employees, and their customers from tax season threats and scams. Here are some best practices that can be implemented:

  • Educate employees: Organizations should provide regular training to employees on how to recognize and respond to tax-related threats and scams. This can include information on common scam tactics, how to verify the authenticity of requests or offers, and how to report suspicious activity.
  • Use security software: Organizations should use security software, such as anti-virus and anti-malware software, to protect against threats such as phishing attacks and malware infections.
  • Implement strong passwords and multi-factor authentication: Organizations should require employees and customers to use strong passwords, and implement multi-factor authentication for access to sensitive data and systems.
  • Secure data and systems: Organizations should secure sensitive data and systems by using firewalls, encryption, and access controls. This can help prevent unauthorized access and data breaches.
  • Monitor for suspicious activity: Organizations should monitor their networks and systems for suspicious activity, such as unusual login attempts or data access patterns. This can help detect and prevent attacks before they cause damage.
  • Verify requests for information or payments: Organizations should verify the authenticity of requests for information or payments, especially if they are received through email or other electronic channels. This can include verifying the identity of the sender, and confirming the request through a separate communication channel.
  • Stay up-to-date on threats and scams: Organizations should stay informed about current threats and scams related to tax season, and adjust their security measures as needed to protect against new threats.

For individuals, the steps to take to safeguard their data and money from threat actors include:

  • Being wary of unsolicited calls, emails, or messages: If you receive a call, email, or message from someone claiming to be from the IRS or another tax-related organization, be wary. Scammers often use these tactics to trick individuals into providing personal information or making payments.
  • Verifying the authenticity of requests: If you receive a request for personal information or payment, verify the authenticity of the request before providing any information or payment. This can include contacting the organization directly through a trusted communication channel, such as a phone number or email address listed on their official website.
  • Using security software: Install and use security software, such as anti-virus and anti-malware software, to protect against threats such as phishing attacks and malware infections.
  • Securing personal information: Store personal information, such as social security numbers and financial account information, securely. This can include using encryption or password protection for electronic files, and keeping physical documents in a locked cabinet or safe.
  • Filing taxes early: Filing taxes early can help prevent scammers from filing a fraudulent tax return using your personal information.
  • Staying informed: Stay informed about current tax season threats and scams, and be vigilant in protecting your personal information and finances.

Protect your organization this tax season with Flashpoint

Flashpoint gives you the threat intelligence needed to have visibility into threat actor groups, the risk apertures they seek to exploit, and the potentially serious threats they pose to organizations across both the public and private sectors, including tax fraud and other illicit activities that may ensue when credentials are compromised. Sign up for a free trial today to keep your organization’s assets, data, infrastructure, and personnel safe from threats.

Begin your free trial today.