Full Report
Almost half of people polled by McAfee say they or someone they know has received a text or phone call from a scammer pretending to be from the IRS or a state tax agency.
Analysis Summary
# Best Practices: Protecting Against Tax Scams
## Overview
These practices address the growing sophistication of tax-related scams (phishing, spoofing, social engineering) targeting individuals, focusing on verification, vigilance, and technical safeguards to prevent financial loss and identity theft related to tax season communications.
## Key Recommendations
### Immediate Actions
1. **Verify Contact Directly via Official Channels:** Never trust contact information provided within unexpected tax-related communications (email, text, or call). Immediately navigate directly to the official IRS website (`irs.gov`) or the relevant state tax agency website to verify any claims or requests independently.
2. **Refuse Requests for Immediate Payment via Non-Standard Methods:** Treat any demand for immediate payment via unconventional methods (e.g., gift cards, cryptocurrency, wire transfers) as fraudulent, as government agencies will not contact citizens this way.
3. **Do Not Click Links in Suspicious Messages:** Explicitly avoid clicking any hyperlinks embedded in unsolicited emails or texts claiming to be from tax authorities; these links likely lead to fraudulent copycat websites designed for credential harvesting.
### Short-term Improvements (1-3 months)
1. **Implement Multi-Factor Authentication (MFA):** Enable MFA on all critical personal and financial accounts, especially those related to tax filing access, online banking, and contact methods associated with government services.
2. **Install and Maintain Endpoint Security:** Ensure all devices (computers and mobile phones) used for sensitive activities have up-to-date antivirus/anti-malware software installed and configured for regular scanning.
3. **Enable Privacy Features on Mobile Devices (Android Focus):** If using Android, configure and activate Private DNS Mode to encrypt DNS queries, reducing the ability for malicious actors to intercept or redirect traffic to phishing sites.
### Long-term Strategy (3+ months)
1. **Deploy AI-Enabled Security Tools:** Investigate and integrate security programs that utilize AI capabilities specifically designed to detect and filter sophisticated scam calls and texts *before* they reach the user interface.
2. **Conduct User Awareness Training:** Establish regular training sessions for employees (if applicable) and family members focusing on identifying the latest social engineering tactics used in tax scams, emphasizing phishing indicators and verification protocols.
3. **Regularly Review Digital Footprint:** Periodically review personal privacy settings across online services to limit the accessible data attackers can use for personalization (spear-phishing) in tax-related communications.
## Implementation Guidance
### For Small Organizations
- **Focus on Basic Communication Hygiene:** Mandate a strict "never click links from unsolicited sources" policy. Use personal examples during team meetings to illustrate current threat vectors.
- **Standardize MFA:** Ensure MFA is mandatory for accessing critical shared email accounts or any cloud service used for financial document storage, even if it's just a simple password manager.
### For Medium Organizations
- **Internal Phishing Simulations:** Begin running simulated phishing exercises specifically tailored around tax-related urgency and urgency to test employee readiness.
- **Integrate Security Software:** Select and deploy antivirus/anti-malware solutions across all endpoints, ensuring centralized management for patch verification and signature updates.
### For Large Enterprises
- **Integrate AI Security Solutions:** Implement enterprise-grade security tools capable of advanced threat intelligence on communication channels (email gateways, SMS security) specifically targeting governmental simulation tactics.
- **Formalize Reporting Channels:** Establish a clear, mandatory internal protocol for employees to immediately report suspicious tax-related communications to the IT/Security team for analysis and dissemination of warnings.
## Configuration Examples
*Note: The source material did not provide specific configuration commands, but the following guidance reflects the actions described.*
**Action:** Activate Private DNS Mode (Android Example)
**Guidance:** Search device settings for "Private DNS," select the option, and enter a reliable, secure DNS provider hostname (e.g., `dns.google` or a security-focused provider) rather than leaving it set to "Automatic" or "Off."
## Compliance Alignment
While the primary focus is individual security against fraud, these practices align loosely with foundational concepts from:
- **NIST SP 800-50 (Building Information Security Awareness):** Directly aligns with training and user vigilance components.
- **ISO/IEC 27001 (A.7.2.2 Information Security Awareness, Education and Training):** Emphasizes ensuring personnel are aware of security threats relevant to their roles/activities.
- **CIS Critical Security Controls (Control 14: Security Awareness and Skills Training):** Focuses on continuous training to counter evolving social engineering threats.
## Common Pitfalls to Avoid
1. **Believing Urgency:** Do not rush decisions based on threats of immediate arrest or financial action delivered via email or phone call. Real government agencies adhere to clear due process.
2. **Trusting Caller ID/Sender Address:** Do not trust sender addresses or caller IDs, as these are easily spoofed methods frequently utilized in these scams. Always verify using independent, manually entered official contact information.
3. **Using Links in Suspicious Messages:** Never use provided links for tax verification. Assume all links in unsolicited messages purporting to be from tax authorities are malicious.
## Resources
- **Official IRS Website for Verification:** Use `irs.gov` (Type this address directly into the browser).
- **State Tax Agencies:** Refer to the relevant state government website for local tax verification.
- **AI Security Solutions:** Investigate vendors offering AI-enhanced anti-phishing and anti-spoofing technologies.