Fraudulent Text Messages Impersonating The IRS

We at the University of Illinois Tax School want to make tax practitioners in our community aware of a nasty scam that is gaining in popularity. Perhaps you have already heard of it from your clients.

The IRS reports a dramatic rise in smishing attacks, a term describing text messages used to capture individuals’ private information illicitly. The messages appear among other SMS messages received by the individual but include IRS logos or additional information designed to deceive the recipient into thinking that the request for information came from the IRS. In fact, the IRS does not use text or email messages to initiate contact with taxpayers.

In that sense, the messages are not that different from phishing attacks that have been around longer. The use of email enables scam artists greater latitude in graphic design in their attempts to impersonate the IRS, but they find ways to include these images with text messages.

Just like phishing attempts, these attacks bait the unsuspecting recipients with information about tax credits, assistance with setting up an IRS online account, or even a feigned offer to obtain COVID relief.

Because the IRS does not initiate contacts through text or email messages, your tax clients should be skeptical of any text message they receive that appears to have originated with the IRS. You may wish to remind them that they should not click on links in text messages that originate with unrecognized sources or that pretend to originate with the IRS. Only links from a familiar contact with a URL using a recognized domain should be considered, and then only with extreme caution.

The Danger From Smishing Attempts

Smishing attempts are dangerous because of how they operate. Providing the appearance of a legitimate website, they collect information unsuspecting individuals enter. Thus, they trick individuals into voluntarily surrendering their names, addresses, social security numbers, and other personally identifiable information to criminals.

The scams may also place malicious software or malware on the individuals’ computers or cell phones. Like a high-tech version of the hollow wooden horse made by ancient Greeks to gain access to the protected city of Troy over 3,000 years ago, the criminals have now gained entry to devices on which sensitive information is almost certainly stored. They have accessed a treasure trove of information, probably without its owner being aware.

In some regard, smishing attacks represent the evolution of phishing attacks that have plagued PC-based emails for a long time. The IRS noticed a substantial increase in smishing attacks about two years ago. These attacks targeted taxpayers’ personal and financial information and were bold enough to request account numbers. Naturally, any links requesting this information should be avoided.

What Not To Do

The IRS has made it clear that it does not initiate contact with taxpayers via email or text message. It uses old-fashioned letters and nothing fancy, aware of the dangers posed by phishing and smishing attacks. The IRS keeps things as straightforward as possible by avoiding their use.

For this reason, no information should be provided to persons who might be impersonating the IRS. If a message appears from the IRS, a quick check of the domain from which it originated probably indicates it did not come from irs.gov. If you’re confident you can hover over a link without clicking on it, inspection almost certainly will display a different internet domain than irs.gov.

The most common means of infection are triggered when an individual clicks on a link. Because of this, individuals should be cautious about clicking on any link appearing in an email or text message. Unfortunately, avoiding links is not always sufficient to prevent the covert installation of malware. A new class of malware, known as zero-click malware, installs itself upon receipt by an individual — without requiring the recipient to click on a link. Although no attacks using zero-click malware appearing as IRS messages have been reported, individuals should be aware of the remote possibility, even as they avoid clicking on unknown links.

Similarly, phone calls should NOT be made to the phone number from which the messages were sent. Taxpayers should expect scammers to harvest their phone numbers if they call, thereby identifying themselves as fresh bait for subsequent smishing attempts. So absolutely no personally identifiable information should be provided to these sources.

The following video from the IRS is embedded to illustrate these points.

What To Do

Just as there are negative actions to avoid, there are positive actions that taxpayers should take. The IRS has outlined several steps to take if an individual receives a smishing attack, which we have listed below as a starting point for your clients.

1. 1. Create a new email to alert the IRS about the smishing attempt, addressing it to phishing@irs.gov.
   2. The message probably shows a phone number for caller ID. Your clients should copy and paste that number in the email to the IRS.
   3. The message’s image should be copied into email. Your iPhone-equipped clients can click the message (NOT any links) and hold it for a few seconds and a dialog box will open, giving them the option of copying the message. This should then be pasted into the email to the IRS.
   4. The IRS has requested that the taxpayer provide the date, time, time zone and telephone number that received the message.
   5. This message can then be sent to the IRS at phishing@irs.gov.

There are additional actions that taxpayers can take to defend themselves, even before a hazardous message lands in their inboxes. Like on personal computers, antivirus software is available for cell phones, and it may be a wise investment, depending on the websites an individual visits or the messages they receive. Other apps are available to identify and eliminate malware that may reside on an individual’s cell phone, no matter how vigilant they are. Some apps can even detect and intercept malicious messages and prevent access to malicious web sites.

Conclusion

While these protective steps may be a good approach for a first line of defense, perfect protection from malicious software should not be expected. In conjunction with protective software, your clients still need to be cautious of any link that appears in an email or text message. However, knowledge of the threat, and the damage to one’s reputation or finances that they can cause, are strong motivations for vigilant inspection of any message that appears to come from an unusual source, especially if the source does not send messages, like the IRS.

Near the main entrance to the National Archives in Washington, D.C., stands a statue of a strong man with a helmet, holding a shield, a sword, and a fasces. The statue bears the following inscription:

Eternal vigilance is the price of liberty.

This motto was coined initially long before the first malware appeared, back when the founders of our country were concerned with maintaining our liberty. While written about something else, it appears that this principle also applies to electronic communication, that liberty in using electronic devices also requires payment of eternal vigilance.

Sources:

IRS reports significant increase in texting scams; warns taxpayers to remain vigilant Sep. 28, 2022. IRS.

What is a Zero-Click Attack? Apr. 4, 2022. John Bogna.,PC Magazine. Accessed Oct. 19, 2022.

The National Archives’ larger-than-life statues. May 28, 2018. Jessie Kratz. National Archives History, News and Events.  Accessed Oct. 19, 2022.

By John W. Richmann, EA, MBA
Tax Materials Specialist, U of I Tax School