Blog March 25, 2024

How to Avoid Online Tax Day Scams: Tips to protect your finances and data

by Rob Ames, Senior Staff Threat Researcher
by Rob Ames, Senior Staff Threat Researcher

As Tax Day in the U.S. looms on the horizon, so too does the risk of falling victim to online scams. In 1986, the first year that e-filing was available, five people filed their returns electronically. Since then, the popularity of e-filing has increased so much that 92% of individual tax returns are now e-filed. As online tax filing and payment have become more popular, though, scams targeting unsuspecting taxpayers have as well. 

SecurityScorecard’s Threat Research, Intelligence, Knowledge, and Engagement (STRIKE) Team analyzed the tactics, techniques, and procedures (TTPs) cyber criminals are most likely to employ during tax season. This research unearthed over 16,000 IP addresses that may be vulnerable to the threat actors linked to these TTPs in SecurityScorecard’s Attack Surface Intelligence module. These TTPs run the gamut from spear phishing and drive-by compromises to credential dumping and business email compromise (BEC). 

Armed with knowledge and vigilance, you can shield yourself from these fraudulent schemes and safeguard your financial well-being. Here are some of the most common tax scams to be on the lookout for this year, along with tips from the STRIKE Team on how to stay safe: 


Social engineering 

Scammers use emails, text messages, or phone calls posing as the IRS or tax preparation software providers to trick people into giving up their personal information or clicking links or attachments that download malware. The goal in phishing attempts and other social engineering is to steal sensitive information like Social Security numbers, bank account information, or credit card numbers.

Scammers may also use social media to gain access to personal information and use it for identity theft. They may create fake profiles, send friend requests, or post fraudulent links. Be cautious about what you share on social media and verify the identity of any person or organization that contacts you through social media.

STRIKE Team’s tip: 

Implement anti-phishing training for employees, use email filtering to detect phishing attempts, and deploy multi-factor authentication (MFA) to mitigate the risk of credential compromise.


Fraudulent tax preparers

Some tax preparers make false promises to get more business, such as offering inflated refunds or basing their fees on a percentage of your refund. They may also promise to get you out of debt with the IRS or offer to settle your tax debt for pennies on the dollar. Be wary of tax preparers who don’t ask for proper documentation, have unverifiable credentials, or don’t have a physical office.

STRIKE Team’s tip: 

Tax season is a prime time for identity theft, as scammers try to file fraudulent tax returns using stolen personal information. Keep your personal information safe by using secure websites for online tax filing, shredding sensitive documents, and monitoring your credit report regularly.


Assess cyber risks and make informed decisions with confidence, every time


Fake charity scams

Scammers create fake charities and solicit donations during tax season. They may use names that sound legitimate or resemble well-known charities to trick people into giving them money. Before making a donation, research the charity’s name and verify its tax-exempt status with the IRS.

STRIKE Team’s tip: 

Be wary of unsolicited emails or messages claiming to be from the IRS or tax authorities. Cybercriminals often impersonate government agencies to trick individuals into divulging sensitive information. Remember, the IRS typically communicates with taxpayers via traditional mail and does not initiate contact through email, text messages, or social media.


Business email compromise (BEC)

Business Email Compromise (BEC) is a sophisticated attack  targeting businesses. Perpetrators use fraudulent emails to deceive employees into transferring money or sensitive information. Typically, the scam involves impersonating a trusted individual, such as a CEO or a vendor, to manipulate recipients into taking action. These attacks can lead to financial losses, data breaches, and reputational damage for organizations. Vigilance, employee awareness training, and robust email security protocols are essential defenses against BEC attacks in today’s interconnected business landscape.

STRIKE Team’s tip: 

Implement email rules that flag emails with extensions similar to company email, verify changes in payment details or requests for sensitive information through a secondary communication channel, and conduct regular BEC training.


Drive-by compromise

A drive-by compromise is a cyberattack where malware is automatically downloaded onto a user’s device without their consent or knowledge simply by visiting a compromised website. Exploiting vulnerabilities in web browsers or plugins, attackers inject malicious code into legitimate sites. When users access these sites, the malware is silently installed, often leading to further system infiltration or data theft. Drive-by compromises underscore the importance of regularly updating software and employing robust cybersecurity measures to mitigate risks.

STRIKE Team’s tip: 

Ensure browsers and plug-ins are up-to-date, deploy web filters to block known malicious sites, and educate users to avoid unknown websites offering streaming or betting services.


Fake security software or impair defenses: Spoof security alerting

Fake security software or spoof security alerting involves the creation of deceptive notifications or software that masquerade as legitimate security tools. These fake alerts often warn users of non-existent threats or infections, prompting them to download malicious software or provide sensitive information. By impairing users’ defenses and instilling a false sense of urgency, attackers can gain access to personal or organizational data. Awareness of these tactics and skepticism towards unsolicited security alerts are crucial for maintaining cybersecurity hygiene.

STRIKE Team’s tip: 

Use reputable endpoint protection solutions, maintain up-to-date software inventories, and educate users on downloading software only from trusted sources.


Credential dumping

Credential dumping is a cyberattack technique where attackers extract login credentials from a compromised system’s memory or storage. Using various methods like malware or tools, attackers gain access to sensitive data such as usernames and passwords stored locally or in memory. Once obtained, these credentials can be used to escalate privileges, access additional systems, or conduct further malicious activities within a network. Implementing strong password policies, multi-factor authentication, and monitoring for suspicious activity can help mitigate the risk of credential dumping.

STRIKE Team’s tip: 

Monitor system logs for unusual access patterns, use privileged access management solutions, and regularly change and audit passwords.



A masquerading cyberattack involves an attacker impersonating a legitimate user, device, or service to gain unauthorized access to systems or data. This deception can take various forms, such as using stolen credentials, spoofing IP addresses, or mimicking trusted email addresses. By masquerading as an authorized entity, attackers can bypass security measures and exploit vulnerabilities. Implementing robust authentication protocols, monitoring for unusual behavior, and educating users about phishing tactics are essential defenses against masquerading cyberattacks.

STRIKE Team’s tip: 

Use DNS filtering to block malicious domains, implement strict external email marking policies, train users to inspect URLs carefully before providing any information, and continuously monitor systems for any signs of credential abuse.


External remote services

External remote services refer to third-party services or systems accessed from outside an organization’s network. These services enable remote access to resources, data, or applications, typically over the internet. Examples include cloud storage platforms, virtual private networks (VPNs), or external databases. While providing flexibility and convenience, external remote services also pose security risks, such as unauthorized access, data breaches, or service outages. Implementing strong access controls, encryption, and regular security assessments help mitigate these risks and ensure secure remote connectivity.

STRIKE Team’s tip: 

Ensure that remote access to the network is secured with VPNs, MFA, and is monitored for unusual activity.


Stay informed

To avoid falling victim to these and other tax scams, be vigilant about protecting your personal information and stay informed about the latest scams. Remember, the IRS will never contact you by phone, email, or social media to request personal information or payment. If you receive a suspicious communication, report it to the IRS immediately. 


Final thoughts

Knowledge is your best defense. Stay updated on the latest tax-related scams and tactics used by cybercriminals. Government agencies, such as the IRS or the Federal Trade Commission (FTC), regularly issue alerts and advisories about prevalent scams. Subscribe to their newsletters or follow them on social media to receive timely updates.

SecurityScorecard is committed to making the world a safer place by giving our customers an outside-in view of their security posture. Our security ratings are based on trusted, transparent methodology and data collected from millions of organizations. Gain a complete view of your vendor ecosystem and boost your cyber resilience at the same time. 

For more information on how to spot scams and stay proactive against cyber threats, visit


Assess cyber risks and make informed decisions with confidence, every time