"400% Surge In Phishing Attacks This Tax Season" Says The IRS*


The bad guys are in full force this tax season. With so many people doing their taxes online this year, the phishing community is out to snag as many victims as possible.

Even if you don't do your taxes online, the phishers still trick lots of people into entering sensitive tax information that can lead to theft, ransomeware hijacks, identity theft, or worse.

What Is Phishing?

"Phishing" is when you get an email that looks legitimate, but asks you to click a link and enter sensitive information that the bad guys can use to steal information from you.

Typical phishing scams say something like, "Your bank account may have been compromised. Click here to verify your account, etc." The link will then take you to a page that looks exactly like your bank's website, but isn't. Many people are lured into entering their bank login information, and that's when the bad guys have you.

Have a look at this email:


Looks official, right? It's not.

Clicking that link would take you to a site that looks just like the real Bank of America site and ask you for your login. Now the bad guys have full access to your bank account.

During tax season, the range of phishing possibilities are even more vast than this, making it even harder for the average person to detect what's real and what isn't.

Here's a tricky one the folks at TurboTax are warning their customers about:



Can you spot the fake one?

It's the first one. Don't worry, I couldn't either. And that's the point. Despite your best efforts, you still might be a target of phishing attacks this tax season.

How To Protect Yourself

Here are some good tips to avoid phishing scams:

  • Don't open any emails, or click on any links, from an email address you don't know.

  • If you get a message that looks official from your bank, don't click on the links within the email. Instead, go to your browser and login to your bank account the way you normally would. If your bank actually has something urgent for you to attend to, then there will be a notification waiting for you in your real bank account.
    • Still not sure? You can always call up your bank and ask them if they sent you an email.

  • If you've filed your taxes online, or used any kind of tax preparation software, and you get asked for any kind of "password recovery" or something along those lines, go and login to your tax account the way you normally would and check if things are OK. 
    • The most obvious thing to ask yourself is, "Did I request this information?" You probably didn't, so don't risk clicking it.

  • Same goes for anything "official" from he IRS. If the IRS really needs to contact you, they generally do it the old-fashioned way: with paper mail. So, if you get an email from the IRS, make sure it has some kind of information identifying you first. Plus, you can always call them to make sure they really need something from you. Chances are, if they do, they've already sent you something in the mail.

  • If you do accidentally click, all is not lost. At this point, you need to stop and pay close attention to the URL in your browser. The URL should be from whichever company/agency is trying to contact you.

    • Let's examine a few examples: www.password-reset.irs.gov.rq345.com/IRS-Tax. It almost looks legitimate, doesn't it? How do we know it's not really from the the IRS? An IRS URL looks like this: https://www.irs.gov/uac/IRS-Tax-Tips. "irs.gov" is the last part of the URL before a "/". In the fake example above, the URL ends in "irs.gov.rq345.com" before the "/". "rq345.com" is not the IRS website.

    • How about this one: https://myturbotax.axklomix.com/. I've never heard of "axklomix.com" have you? Here's what a real TurboTax URL looks like: https://myturbotax.intuit.com/. "intuit.com" are the people that make TurboTax, so that's where you would access TurboTax if that's how you're filing your taxes.

  • Your final line of defense comes in only one form: antiphishing protection. Antiphishing protection is built-in to some antivirus programs and most Internet Security suites. It works like this: if you do accidentally click a phishing link from your email, your antivirus software should kick in, identify the phishing link, then block you from viewing the site (to prevent you from accidentally giving them any sensitive information).

During our rounds of testing, the top three Internet Security suites that scored a perfect 100% in blocking every phishing site we threw at them where:

VIPRE Internet Security 2016


We particularly like that VIPRE completely blocks the site keeping you away from danger.

ESET Smart Security 9


While ESET scored a perfect 100% in our tests as well, we'd like to see them remove the "Ignore Threat" option to prevent accidental damage.

BitDefender Internet Security 2016


BitDefender scored a perfect 100% as well, but again, we'd like to see them completely block the page with no option to continue.

All other brands we tested scored 90% or below.

In the end, being diligent and alert when it comes to phishing attempts is your best line of defense. But despite your best diligence, there's always going to be that one that slips past you. That's when you need to make sure you've got the best Internet Security protection available with the best anti-phishing protection built-in.

Here are our top three recommendations for excellent protection against tax-season phishing this year:

VIPRE Internet Security 2016

ESET Smart Security 9

BitDefender Internet Security 2016

Even if you already have antivirus or Internet Security software installed, it might be time to make a change now. A few dollars spent could save you hundreds or even thousands from an accidental phishing click later on.