infected phone on a keyboard

Huge increase in smishing scams, warns IRS

The Internal Revenue Service (IRS) has issued a warning for taxpayers about a recent increase in IRS-themed smishing scams aimed at stealing personal and financial information.

Smishing is short for SMS phishing, where the phishes are sent via text message. The IRS has identified and reported thousands of fraudulent domains tied to multiple smishing scams targeting taxpayers.

Not the IRS

The most prevalent campaigns the IRS is warning about are scam messages that look like they’re coming from the IRS. These messages offer lures like fake COVID relief, tax credits, or help setting up an IRS online account.

In the latest campaign the IRS has seen, the scam texts ask taxpayers to click a link which leads them to phishing websites. Typically these websites are set up to collect the visitor’s information, but potentially could also send malicious code to their phones.

Industrial scale

This type of smishing is by no means new, but what prompted the warning is the scale of the campaigns. IRS Commissioner Chuck Rettig called it phishing on an industrial scale.

“In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity.”

How to avoid falling for a smishing scam

We can’t stop smishing completely, but we can take some steps to significantly reduce the chance of falling victim:

  • Firstly, it’s important to keep in mind that the IRS does not send emails or texts asking for personal or financial information or account numbers.
  • If a message sounds too good to be true, it probably is. Having said that, many smishing messages sound totally innocent and aren’t trying too hard to bribe or threaten, so don’t assume any message from services or organizations are the real deal.
  • If you’re being asked to do something, like enter your details, transfer money, or similar, the very best thing you can do is contact the ‘sender’ directly via a known method you trust. If it turns out to be a phish, you should be able to report it there and then.
  • Those living somewhere with Do Not Call lists or spam reporting services should make full use of them. Scam SMS/text messages can also be copied and forwarded to wireless providers via text to 7726 (SPAM), which helps the provider spot and block similar messages in the future.
  • Never click links, and don’t enter personal information on any website if you do accidentally click through. Avoid replying to the scam SMS too. Doing so confirms you exist and may make it more likely for you to receive more messages.
  • Report, block, and move on.

Forward to IRS

The IRS asks that you forward any smishing or other phishing scams using the following process:

  • Create a new email to phishing@irs.gov.
  • Copy the phish caller ID number (or email address).
  • Paste the number (or email address) into the email.
  • Press and hold the SMS/text message and select “copy”.
  • Paste the message into the email.
  • If possible, include the exact date, time, time zone and telephone number that received the message.
  • Send the email to phishing@irs.gov.

All incidents, successful and attempted, should also be reported to the Internet Crime Complaint Center.

Any individual entering personal information, or otherwise finding themselves a victim of tax-related scams, can find additional resources at Identity Theft Central on IRS.gov.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.