The Top Tax Scams of 2024 | McAfee Blog


While last-minute tax filers stare down the clock, scammers look for easy pickings. Tax scams are in full swing as April 15th approaches, and we have a rundown of the top ones making the rounds this year.

For starters, the stakes this year remain the same as ever. Scammers are taking advantage of the stress and uncertainty that comes with tax season as they target people’s personal info, money, or both. Their avenues of attack remain the same as well, via email, texts, direct messages, and the phone.

Yet there’s a new wrinkle this year. Scammers have tapped into AI tools that make their scams look and feel far more sophisticated than ever.

We saw the first stirrings of AI-driven scams last year as AI tools first entered the marketplace. This year, AI-driven scams feature more and more in the landscape of threats. Scammers use them to generate images, write copy, and build websites in a fraction of the time that it once took. While they still make some of the design and writing mistakes they’ve made in the past, they make far fewer of them.

Examples of tax scams we’ve spotted this year.

We have a couple of tax scams to share from the many we’ve uncovered. The first one involves a popular brand of tax software here in the U.S.

Example of a scammer email

At first blush, this bogus email looks pretty legit. At first. The layout, photograph, and link all look like standard fare for an email. Though looking more closely, you can spot several AI fingerprints all over it.

For one, big brands like TurboTax have writers, editors, and reviewers who comb over copy before it gets approved for release. Here, the headline breaks a pretty standard formatting rule. In “headline case” writing, the “with” should be lowercase. Sure, mistakes get made, and this might be one example. Yet the problems go deeper than that.

Read the fine print. You’ll see that the grammar is off. The paragraph overall has a broken feel to it. You’ll also see that the copy mentions “market leader” twice — and awkwardly so. And what company mentions its competitors in an email like this? They’re not out to boost competitors.

Lastly, the email spells out the company’s name wrong in the fine print. It’s “TurboTax,” not “Turbo Tax with License Code.” All of this points to an obvious fake. But only by looking closely at it. It’s as if the scammers prompted an AI chatbot with “Describe what TurboTax is” and got this as a response.

Granted, that represents an example of rather sloppy work. The next example looks more convincing. This time, the scammers impersonate the IRS:

Example of a scammer website

We discovered this fake IRS site when our McAfee Labs team investigated a link sent in an email. The bait is the promise of getting a tax ID number for a business or organization. The hook is this bogus site designed to harvest personal and business info.

If you’ve visited the IRS site recently, you’ll recognize the look and feel of an IRS webpage quickly. It seems familiar enough, yet once again a closer look reveals a few things.

First, a small grammatical error rears its head in the copy. The term “setup” is a noun, yet the copy uses it as a verb. It should read “set up” instead. Granted, this is a common error. Many sites make it, yet it’s a red flag nonetheless. Next, the contact method in the top right raises yet another. Contact “an EIN expert” via email during set hours? Set hours are for phone calls, not email.

We omitted the final telltale sign — the URL. It was clearly a fake and not the official irs.gov address.

In all, it shows just how cagey tax scammers can be today. Particularly with AI. It puts a fresh look on some old tactics, making scams tougher to spot.

Now, onto our top tax scams for 2024.

Sketchy email attachments — the five most popular types.

This classic is back. Scammers spread all manner of malware with email attachments. One example: spyware that steals info as you type usernames and passwords as you log into your accounts. Another: ransomware that holds the data on your device hostage until you pay. Maybe. The list goes on, yet scammers always try to package it up in a way that looks legit.

One way they pull that off is with a phony tax document bundled up in a .pdf document. In fact, the .pdf format marks the number one file type that hackers and scammers use in their attacks. By our count, it tops the number two file type by a ratio of roughly 6 to 1.

Here are the top five file types used by scammers and hackers:

  1. .pdf
  2. .exe
  3. .zip
  4. .html
  5. .text

What makes the .pdf format so popular? People trust it. It gets commonly used in business, and many legitimate tax forms come in that format. However, it also offers a versatile platform for exploits. Hackers and scammers can embed malicious links and content within them. So clicking what’s inside that .pdf doc can lead to trouble, say in the form of a malicious website designed to steal personal info.

Starting in the second half of last year, we noted a spike in malicious attachments that used the .pdf format. Another reason that makes .pdf files so popular, email filters tend to focus on other file types like the executable .exe format. So, a .pdf has a better shot at slipping through.

Our advice:

As always, strong antivirus software can detect and protect you from malicious email attachments. Our Next-gen Threat Protection found in all our McAfee+ plans once again proves itself as a top option for antivirus. Results from the independent lab AV-TEST in December 2023 saw it block 100% of entirely new malware attacks in real-world testing. It likewise scored 100% against malware discovered in the previous four weeks. In all, it received the highest marks for protection, performance, and usability — earning it the AV-TEST Top Product certification.

Tax time phishing scams.

Phishing scams crop up in plenty of places and take plenty of forms. As in years past, we see scammers cranking up their bogus texts, direct messages, and emails. They all follow the tax season theme, yet they take different approaches to roping in victims. Some include:

  • Attachments with phony tax documents, like W2 and 1099 forms.
  • Scam texts that alert the taxpayer of an unclaimed refund.
  • Imposter schemes, like social media messages from people who pose as legitimate IRS agents.
  • Fake offers for tax prep software (like the TurboTax example above).

Additionally, many phishing attacks point people to malicious websites — once again that steal personal info. We’ve seen a spike in malicious tax-related URLs starting in the second half of last year as well.

Our advice:

You can absolutely protect yourself from phishing scams. Now with the help of AI. McAfee Scam Protection detects suspicious URLs with AI before they’re opened or clicked on. This takes the guesswork out of those sometimes convincing-looking messages by letting you know if they’re fakes. If you accidentally click or tap on a suspicious link in a text, email, social media, or browser search, it blocks the scam site from loading. You’ll find McAfee Scam Protection across our McAfee+ plans.

Fake charity scams also crop up this time of year.

Whether it’s for natural disaster aid, aiding refugees in war-torn regions, or even protecting animals and pets, scammers set up phony charities with the aim of pulling heartstrings. And then stealing money as a result.

Scammers reach out with the usual methods, by email, text, direct message, and sometimes phone calls as well. They all share one thing in common. They all give potential victims a chance to support a cause that they care for and get a tax credit in return. Yet with these scams, the charity doesn’t exist. Instead, money and personal info end up in the hands of scammers.

Our advice:

Yet you have several ways you can spot a fake charity. For one, the message often has a pressing, almost alarming, tone. One that urges you to “act now.” Before acting, take a moment. Research the charity. See how long they’ve been in operation, how they put their funds to work, and who truly benefits from them.

Likewise, note that some charities pass along more money to their beneficiaries than others. Generally, most reputable organizations only keep 25% or less of their funds for operations, while some less-than-reputable organizations keep up to 95% of funds, leaving only 5% for advancing the cause they advocate. In the U.S., the Federal Trade Commission (FTC) has a site full of resources so that you can make your donation truly count. Resources like Charity Watch and Charity Navigator, along with the BBB’s Wise Giving Alliance can also help you identify the best charities.

Keep an ear out for scam calls.

Scammers like to pick up the phone too. A popular form of attack involves “the call from the IRS.” Typically, a recorded message notifies the recipient that they owe money. And because scammers know just how jarring a call from the IRS can be, they apply heavy pressure in the message.

In the past, we’ve heard messages that threatened fines, jail time, and revoking driver’s licenses. They’ve mentioned the police and other law enforcement agents in them as well, just to turn up the heat.

Now with AI, scammers can create robocalls that sound highly realistic in only moments of time. It’s as simple as writing a few lines of a script, feeding it into an AI tool, and then generating an audio file. No need for another person to record the message. AI takes care of it all.

Our advice:

The best way you can avoid falling for this scam is by knowing what the IRS will and will not do when they contact you. From the irs.gov website, the IRS will not:

  • Initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial info.
  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card, or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.
  • Demand that you pay taxes without the opportunity to question or appeal the amount they say you owe. You should also be advised of your rights as a taxpayer.
  • Threaten to bring in local police, immigration officers, or other law enforcement officers to have you arrested for not paying. The IRS also can’t revoke your driver’s license, business license, or immigration status. Threats like these are common tactics scam artists use to trick victims into buying into their schemes.

Lastly, also know that the IRS is here to help. The agency offers a full help page with online resources, along with several ways you can contact the IRS for help. If you have any questions about a notification that you received, contact them.

Even more protection from tax-time scams…

While scammers have a wealth of tools available to them, you have one tool that protects you from all kinds of threats. Comprehensive online protection software like McAfee+ offers yet more ways to steer clear of tax scams.

In addition to the antivirus and scam protection features we mentioned, it can make you more private on social media, which can prevent scammers from profiling you. It can also remove your personal info from the data broker sites scammers use to contact their victims. (Granted, scammers have to get your contact info from somewhere, and these sites offer that info, plus much more.) Also, a VPN can help you connect and file your taxes even more securely, so what you do stays private.

And if the unfortunate happens, our identity theft coverage can help you recover. It provides $2 million in identity theft coverage and a licensed recovery expert who can help restore your identity.

Yes, we’re seeing plenty of old scams with new twists this year. Yet the same ways you can protect yourself from them only get better and better.

Introducing McAfee+

Identity theft protection and privacy for your digital life





Source link