Full Report
Almost half of people polled by McAfee say they or someone they know has received a text or phone call from a scammer pretending to be from the IRS or a state tax agency.
Analysis Summary
# Best Practices: Tax Scam Prevention (2025 Focus)
## Overview
These practices address the security risks associated with tax-related scams, focusing on how individuals and organizations can protect sensitive financial and personal data from phishing attempts, fraudulent communications, and identity theft, especially during filing seasons (implied focus on 2025).
## Key Recommendations
### Immediate Actions
1. **Never click links in unsolicited communications:** Refuse to click on links embedded in emails, text messages, or other notifications claiming to be from tax authorities (like the IRS) or related agencies.
2. **Verify official contact directly:** If you receive a suspicious communication, do not reply. Instead, independently navigate to the official tax agency website (e.g., IRS website) or call their verified contact number to confirm legitimacy.
3. **Use AI-enabled security tools proactively:** Deploy security software utilizing the latest AI capabilities designed to detect and block scam calls and texts before they reach the user.
### Short-term Improvements (1-3 months)
1. **Strengthen email/SMS vigilance:** Conduct immediate awareness training for all users on identifying common social engineering tactics used in tax scams (e.g., threats of immediate legal action, demands for unusual payment methods).
2. **Implement privacy-enhancing network settings:** For mobile users, enable security features like Private DNS Mode on Android devices to enhance privacy and resist potential DNS spoofing used in phishing attacks.
3. **Ensure Antivirus/Anti-malware protection:** Verify that all personal and organizational endpoints have up-to-date, highly-rated antivirus software installed and active.
### Long-term Strategy (3+ months)
1. **Establish robust password management:** Mandate or strongly encourage the use of business-grade password managers to generate and store unique, complex credentials for all financial and personal accounts.
2. **Review and secure remote access:** Implement or audit Virtual Private Network (VPN) usage, ensuring all connections to sensitive systems utilize strong encryption protocols (e.g., considering VPN routers for perimeter security).
3. **Implement comprehensive data hygiene:** Execute processes for identifying and removing unnecessary personal data from public-facing platforms and data brokers to reduce exposure surfaces targeted by scammers compiling victim profiles.
## Implementation Guidance
### For Small Organizations
- **Focus on endpoint security:** Ensure every device accessing tax or financial information has robust, centrally managed antivirus/anti-malware software installed.
- **Mandatory basic training:** Implement mandatory, brief training sessions quarterly focusing strictly on recognizing tax-related phishing emails and the official verification procedure.
- **Adopt a central password manager:** Select and deploy an affordable password manager solution enterprise-wide to enforce strong credentials by default.
### For Medium Organizations
- **Enhance communication filtering:** Deploy advanced email filtering solutions capable of analyzing sender reputation and content anomalies characteristic of targeted social engineering attacks.
- **Develop incident reporting workflows:** Establish clear, rehearsed procedures for employees to report suspected tax-related phishing attempts immediately.
- **Invest in specialized security tools:** Evaluate and implement AI-driven tools designed specifically for detecting communication-based threats (calls, SMS, and email).
### For Large Enterprises
- **Integrate threat intelligence feeds:** Subscribe to tax-specific threat intelligence to proactively block known malicious domains or sender IPs associated with current scams.
- **Formalize security frameworks:** Align security policies related to communication handling and data protection with established frameworks (e.g., NIST CSF).
- **Deploy multi-factor authentication (MFA) universally:** Ensure MFA is strictly enforced across all access points, particularly for tax filing portals, internal finance systems, and remote access solutions.
## Configuration Examples
*While specific configuration scripts were not provided, the principles suggest:*
* **Email Gateway Configuration:** Set strict DMARC/DKIM policies and configure filters to quarantine emails originating externally that use internal company names or mimic urgent IRS/tax authority language.
* **Mobile Security Configuration (Android Focus):** Guide users to navigate device settings and enable **Private DNS Mode** by setting the provider to a secure, trusted option (e.g., Cloudflare or Google DNS).
## Compliance Alignment
The described practices align with foundational controls across major regulatory and security standards, particularly those focused on communications security and identity protection:
- **NIST Cybersecurity Framework (CSF):** Protect (PR) and Detect (DE) functions, especially regarding identity management and data integrity.
- **ISO/IEC 27001:** Clause A.13 (Communications Security) and A.18 (Compliance).
- **CIS Critical Security Controls (Controls 4, 6, & 13):** Focusing on Audit Log Management, Account Management, and Data Protection.
## Common Pitfalls to Avoid
1. **Assuming legitimacy based on branding:** Falling for tactics that spoof official government logos or use official-sounding language in emails/texts.
2. **Using the provided contact information:** Relying on phone numbers or links embedded in the suspicious communication rather than independently looking up verified contact details.
3. **Neglecting endpoint protection:** Assuming strong network perimeter defenses are sufficient when the attack vector is the individual user endpoint (phone/laptop).
4. **Inadequate training frequency:** Only training staff once a year; tax scams evolve rapidly and require regular reinforcement.
## Resources
- Official Federal Tax Authority Website (e.g., [IRS website](https://www.irs.gov/))
- Official State Tax Agency Directories ([Guidance for state government websites])
- Information on advanced security tools like quality VPN services and antivirus software.
- Documentation on enabling mobile privacy features like Private DNS Mode.