Scammers more likely to impersonate IRS than other agencies

When scammers want to impersonate a government agency in an email phishing scheme, they are most likely to use the IRS.

This is according to data from cybersecurity company CloudFlare, the company behind many of the tests that determine whether someone is human. About 20% of all websites use Cloudflare in some form or another. The company used the large amount of traffic data at its disposal to gain insights into phishing domains most frequently clicked on by internet users.

In many types of phishing attacks, the scammer will open communications with a potential mark by claiming to be from a legitimate organization, and ask them to click an email link that will either take them to a website that pulls them deeper into the deception, or installs malware on the victim's computer. These links will usually seem like they're coming from a legitimate organization, but with key misspellings meant to deceive, such as a lowercase 'l' in place of an 'I'. The links may also have a different domain, such as .com when it should be .org or .gov.

In terms of how often an entity is impersonated in such schemes, the IRS ranks No. 6 out of 50. While other government entities are also impersonated with some frequency, such as the National Police Agency of Japan, none of the others comes close to the IRS. The only entities, public or private, that ranked above the IRS were Meta (Facebook's parent company), DHL, Microsoft, PayPal and AT&T.

Rank Brand Sample domain used to phish brand[1]
1 AT&T Inc. att-rsshelp[.]com
2 PayPal paypal-opladen[.]be
3 Microsoft login[.]microsoftonline.ccisystems[.]us
4 DHL dhlinfos[.]link
5 Meta facebookztv[.]com
6 Internal Revenue Service irs-contact-payments[.]com
7 Verizon loginnnaolcccom[.]weebly[.]com
8 Mitsubishi UFJ NICOS Co., Ltd. cufjaj[.]id
9 Adobe adobe-pdf-sick-alley[.]surge[.]sh
10 Amazon login-amazon-account[.]com

"Phishing attacks prey on our trust in the brands we love and use everyday, and are becoming more difficult to spot for even the most digitally-savvy person," said Matthew Prince, co-founder and CEO, Cloudflare, in a statement. "Our sanity, bank accounts and passwords shouldn't be compromised because we glossed over a misspelled 'from' field or accidentally clicked on an obscure URL. We've extended our Zero Trust services with real-time protection against new phishing sites, so our customers won't fall victim to attacks leveraging the brands they trust."

Another group well aware of how often scammers impersonate the IRS is the IRS itself, which frequently warns taxpayers about new threats. Most recently it warned of a new scheme circulating on social media that encourages people to use tax software to manually fill out Form W-2, Wage and Tax Statement, and include false income information. In this W-2 scheme, scam artists suggest people make up large income and withholding figures as well as the employer it is coming from. Scam artists then instruct people to file the bogus tax return electronically in hopes of getting a substantial refund — sometimes as much as five figures — due to the large amount of withholding.

One variation involves people using Form 7202, Credits for Sick Leave and Family Leave for Certain Self-Employed Individuals, to claim a credit based on income earned as an employee and not as a self-employed individual. These credits were available for self-employed individuals for 2020 and 2021 during the pandemic; they are not available for 2022 tax returns.

A similar variation involves people making up fictional employees employed in their household and using Schedule H (Form 1040), Household Employment Taxes, to try to claim a refund based on false sick and family wages they never paid. The form is designed to report household employment taxes if a taxpayer hired someone to do household work and those wages were subject to Social Security, Medicare or FUTA taxes, or if the employer withheld federal income tax from those wages.

For reprint and licensing requests for this article, click here.
Technology Tax IRS Cyber security Phishing
MORE FROM ACCOUNTING TODAY