Nothing is certain except death and taxes—and phishing scams every tax season. "Phishing" is defined as identity theft taking place over the Internet. According to the IRS, phishing and malware incidents rose 400 percent in the 2016 tax season. Based on recent IRS alerts, these incidents have not diminished in the 2017 tax season. Both this year and last year, the IRS has discovered phishing schemes targeting tax professionals, payroll workers, human resources personnel, schools, individual taxpayers, and more.

Phishing Schemes Involving HR and Payroll Professionals

The IRS recently issued an alert to payroll and human resources professionals about phishing emails. These emails, purporting to be from company executives, request personal information about employees. Recipients who believed the emails to be trustworthy official communications have sent the scammers payroll data such as W-2 forms and employees’ social security numbers.

This type of phishing expedition, in which a scammer’s email is disguised as coming from a source the receiver knows and trusts, is called "spoofing." But it is no joke. The scammers’ goal is to collect money, passwords, social security numbers, and other information that can lead to identity theft, or to infect the recipient’s computer with malware that gives the scammer access to sensitive files or allows him to track keyboard strokes that expose login information.

Reacting to Suspicious Emails

If a recipient of an email purporting to be from a company executive is unsure about its legitimacy, she should check the sender’s email address against the email address in her records. Often, the fake email may have a missing or added period or letter. If the address is exactly the same, the recipient should call the executive to verify the email.

Generic requests for information should set off alarm bells. Fraudulent emails often are not personalized; many phishing emails begin with "Dear Sir/Madam."

Confidential information should not be submitted via forms embedded within email messages.

If there is any doubt as to the authenticity of links in an email purporting to connect to a website, the recipient of the email should open a new browser window and type the URL directly into the address bar. provides guidance to people who unwittingly clicked on a malicious email link or downloaded an attachment containing malware.

Ten Suggestions for Defending Against Phishing Attempts

  1. Companies that are not legally required to maintain unredacted W-2 forms may black out all but the last four digits of employees’ social security numbers on the forms.
  2. Only key personnel should have access to employees’ private information. Furthermore, their ability to copy and send this information should be restricted.
  3. All sensitive information should be encrypted.
  4. Computers should be protected with firewalls and anti-virus and anti-spyware software.
  5. Email filters may be used to block attachments or certain file types, strip URLs from messages, analyze sender domains, and perform Natural Language Processing to detect phishing.
  6. Domain whitelisting (allowing emails from certain sources) can prevent attacks with unknown domains or IP addresses.
  7. Outbound filtering may be used. SSL decryption can analyze outgoing emails to ensure sensitive information is not being sent.
  8. Security programs should be deployed on any devices employees use to send and receive company email.
  9. Employees should be trained regularly in recognizing and combatting phishing scams.
  10. Companies may send fake e-mails to their employees to test their vulnerability to phishing scams.

Where to Report Email Scams

The FTC requests that phishing emails be reported here:

The IRS recommends forwarding phishing emails to [email protected] and forwarding emails with malware that have not been clicked on or downloaded to [email protected]