MailGuard 23 April 2021 11:48:55 AEST 11 MIN READ

The U.S. tax season has begun — and so has hunting season for scammers. Watch out for these 3 types of email scams.

The tax season has always been a busy one for scammers, but the ongoing uncertainty triggered by COVID-19 last year enabled them to augment their attacks and take further advantage of the fragile mental state of taxpayers and professionals – essentially, presenting scammers with an opportunity to use an enhanced sort of psychological warfare.

In a special alert issued in 2020, the U.S. Internal Revenue Service (IRS) collated a list of ‘Dirty Dozen’ tax scams targeting Americans with a special emphasis on aggressive and evolving schemes related to COVID-19 tax relief, including Economic Impact Payments. Most of these involve identity theft, according to tax experts. In such cases, fraudsters attempt to steal personal information to file a fake tax return and collect victims’ tax refunds. Identity theft was, in fact, the most reported type of fraud in 2020. More than 89,000 Americans filed a complaint with the Federal Trade Commission (FTC) last year, reporting tax fraud linked to identity theft.  

This year, cybercriminals are continuing to use lures related to the pandemic to trick taxpayers. These include the COVID-19 relief fund, the sale of fake at-home test kits, tracking apps, bogus opportunities to invest in companies involved in the development of vaccines, and more. However, with the U.S. Treasury Department and the IRS extending the federal income tax filing due date for the 2020 tax year from April to May, cybercriminals launching tax-related scams have more time to scam taxpayers – making it more vital for businesses and individuals to take proactive measures to keep themselves protected. 

In the list below, we outline three types of tax scams identified by the IRS and other tax-related authorities that are currently targeting Americans. Share these examples with your teams to raise their awareness about the type of scams that are proliferating this tax season, and how they work.  

1) The EFIN scam email impersonating the IRS 

In February, the IRS, state tax agencies and the local tax industry warned tax professionals of a scam email impersonating the IRS and attempting to steal users’ Electronic Filing Identification Numbers (EFINs). 

The malicious email purports to be from "IRS Tax E-Filing" and carries the subject line "Verifying your EFIN before e-filing." Here’s what the email body says: 

IRS scam_1

Source: The U.S. Internal Revenue Service 

“Like all phishing email scams, it attempts to bait the receiver to take action (opening a link or attachment) with a consequence for failing to do so (disabling the account). The links or attachment may be set up to steal information or to download malware onto the tax professional's computer,” the IRS stated. 

“In this case, the tax preparers are being asked to email documents that would disclose their identities and EFINs to the thieves. The thieves can use this information to file fraudulent returns by impersonating the tax professional.” 

The scam serves as a reminder that tax professionals are among the prime targets of scammers looking to commit identity theft. These thieves try to steal client data and tax preparers' identities that will allow them to file fraudulent tax returns for refunds. 

"Phishing scams are the most common tool used by identity thieves to trick tax professionals into disclosing sensitive information, and we often see increased activity during filing season," said IRS Commissioner Chuck Rettig. "Tax professionals must remain vigilant. The scammers are very active and very creative." 

To stay protected, it’s key to remember that the IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts. 

“The IRS also doesn't call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes”. 

Recipients of this email scam are advised to save the email as a file and then send it as an attachment to Additionally, they should notify the Treasury Inspector General for Tax Administration at  to report the IRS impersonation scam. 

Cybercriminals often impersonate official government bodies and well-known brands due to their large user base and the trust invested in their identity. Here at MailGuard, our team has intercepted similar emails in the past purporting to be from the IRS, like this one alerting readers that they’re eligible for a tax refund in the hope of stealing sensitive personal information: 

MG IRS Scam_2

While this email uses several social engineering techniques to prompt a rapid response from readers, the plain-text nature of its body is relatively simple. Many other emails that MailGuard has intercepted employ high-quality images and sophisticated formatting identical to the government bodies and brands they are impersonating. Here’s an example of one we intercepted more recently, impersonating Australian government services portal, myGov.  

2) COVID-19 themed tax scams  

It sounds very 2020, but COVID-19 themed scams are continuing to proliferate. As Americans begin to file their tax returns this year, reports are rife of cybercriminals using the latest news and developments around the pandemic to trick users.  

“Taxpayers should look out for calls and email phishing attempts about the coronavirus or COVID-19, such as the sale of fake at-home COVID-19 test kits, fake donations and bogus opportunities to invest in companies developing COVID-19 vaccines,” stated a recent alert from the U.S. Attorney’s Office

“These scams are particularly insidious because they manipulate and capitalize on victims’ fears and vulnerabilities in order to turn a profit.  We are best able to prevent and limit the damage caused by fraudsters when victims exercise diligence and follow their gut instincts.  If something sounds too good to be true, or strikes you as strange or unusual, listen to your gut, and contact a legitimate government agency to verify whatever information you have been given,” said Assistant United States Attorney Gwendolyn Carroll.    

One particular COVID-19 themed tax scam that was reported this year was a malicious email impersonating Joe Simons, the chairman of the FTC. Claiming the recipient is getting COVID-19 relief money, the email includes a fake certificate to make users think the money is real. Here’s a screenshot of the certificate: 

IRS scam_2

Source: The Federal Trade Commission

If recipients reply to the email, they are told they must pay taxes before they get their money. This may include a fake letter from the IRS, like this one, to convince users: 

IRS scam_3

Source: The Federal Trade Commission

The scam involves a few more steps (including the issuance of a fake remittance order showing that the money is on the way to the recipient’s bank account), but ultimately, the money never shows up. 

“The FTC is not involved in distributing coronavirus economic stimulus money in any way. Economic stimulus payments come from the IRS. The IRS won’t contact you by phone, email, text message, or social media with information about any payments related to the coronavirus pandemic, or to ask you for personal or financial information. Check out for the latest info about coronavirus relief payments,” the FTC alert on the scam stated. 

“If you get an email that says you’re getting some money, don’t reply, period. And definitely don’t give them your bank account or other financial information. Report it to the FTC at” 

As mentioned above, COVID-19 themed tax scams are dangerous, not only because they attempt to manipulate users already suffering from financial turmoil and difficulties triggered by the COVID-19 pandemic, but because, like the measures they exploit, they are new and constantly evolving. Criminals are, in fact, closely watching government announcements and are changing their scams within hours to reflect the latest information being issued – information that may not yet be familiar to users and/or businesses, such as that related to financial support, making it harder to discern whether that information is legitimate or not.  

At MailGuard, we intercepted a similar scam email, that used the guise of a “COVID-19 relief payment” to deliver malicious links. Here’s what it looked like: 

MG IRS Scam_3

3) Phishing email scams targeting educational institutions

This email scam is quite a targeted one. The IRS reported receiving complaints this year of a phishing email that appears to primarily target educational institutions, specifically, those users with .edu email addresses. The scam uses tax refund payment baits and mainly focus on universities' staff and students from both public and private, for-profit and not-for-profit institutions.  

The suspect emails display the IRS logo and use various subject lines like "Tax Refund Payment" or "Recalculation of your tax refund payment”.  It asks people to click a link and submit a form to claim their refund. 

The phishing website requests taxpayers provide their: 

  • Social Security number 
  • First Name 
  • Last Name 
  • Date of Birth 
  • Prior Year Annual Gross Income (AGI) 
  • Driver's License Number 
  • Current Address 
  • City 
  • State/U.S. Territory 
  • ZIP Code/Postal Code 
  • Electronic Filing PIN 

As you can see above, this phishing email scam attempts to steal a wide variety of personal information from unsuspecting recipients – information that can enable cybercriminals to steal their victims’ identity, resulting in devastating consequences. This scam is also particularly insidious as it targets college students, i.e. taxpayers who may be especially vulnerable to IRS impersonation scams because they may be filing a tax return for the first time. 

The IRS advises recipients of these phishing emails not to click on any of the links embedded within them, and forward the emails (as file attachments) to .  

Staying protected 

There are, of course, many other types of tax-related scams that proliferate not only this season, but, like the IRS warns, all-year-round. The trick to avoiding becoming a victim of these scams is knowing how the IRS communicates with taxpayers. 

Practicing good cybersecurity hygiene is also key, and this includes enhancing your business email security to keep your employees and customers safe from malicious tax-related emails that may be infiltrating their personal and professional inboxes. As you can see from the examples above, emails are a popular attack vector among cybercriminals looking to trick users, including tax professionals who are custodians of valuable personal data belonging to their clients. In fact, nine of out 10 cyber-attacks are delivered by email, even when most businesses have an email security solution in place. One innocent click on a malicious email by an unsuspecting employee is enough for cybercriminals to steal valuable data and not only commit identity theft, but also breach networks and systems. It is imperative for businesses to consistently review their email security strategies to ensure they’re doing all they can to stay safe.  

If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party specialist cloud email security solution like MailGuard 365 to complement Microsoft 365. With evidence-based reporting that shows the threats evading your existing defenses, take a free Microsoft 365 email security health check to discover the gaps in your current email security strategy. For more information on how MailGuard 365 can enhance your business email security, reach out to our team at

Tax season is hunting season for scammers, but by taking proactive action and remaining vigilant, you and your business can avoid falling prey.  

What other type of tax-related email scams have you seen this tax season? Share with us below.