IRS Warns of New Email Scam Targeting Taxpayers

CISA tips to avoid falling victim to a cyber attack

The Internal Revenue Service (IRS) has issued a warning about a new email scam in which malicious unsolicited emails are sent to taxpayers from fake IRS email addresses.

The emails contain a link to a spoofed website that displays fake details about the targeted recipient’s tax refund, return, or account. The emails instruct the recipient to access their refund information by entering a provided password on the spoofed website. By entering the password, the victim unintentionally downloads malware on their system that could enable the attacker to obtain sensitive information.

CWA Tax Director Kristina Yarbrough warns, “The IRS does not initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. You need to be very skeptical if you receive any email communication from a sender claiming to be the IRS and should assume it is a scam.”

The U.S. Department of Homeland Cybersecurity and Infrastructure Security Agency (CISA) offers tips on how to avoid social engineering and phishing attacks:

 – Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about personal or internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
– Do not provide personal information or information about your organization unless you are certain of a person’s authority to have the information.
– Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.
 – Don’t send sensitive information over the internet before checking a website’s security.
– Pay attention to the Uniform Resource Locator (URL) of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).
– If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly. Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.
– Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.
– Take advantage of any anti-phishing features offered by your email client and web browser.

If you feel you have verified the authenticity of the sender according to the tips above, and still have questions, notify the IRS at or reach out to your CWA planner.