“So far in 2022, the IRS has identified and reported thousands of fraudulent domains tied to multiple MMS/SMS/text scams (known as smishing) targeting taxpayers,” the IRS said in a press release. Posing as the IRS, scammers send their targets text messages with links that take them to phishing websites. Once on these sites, the threat actors will try to pry for sensitive personal and financial information from their victims or send “malicious code” to their phones. “Smishing campaigns target mobile phone users, and the scam messages often look like they’re coming from the IRS, offering lures like fake COVID relief, tax credits or help setting up an IRS online account,” the organization said. IRS phishing scams are not new. However, the IRS said it observed an increase in smishing scams in 2020, and this continued through the pandemic. The IRS pointed out that the scale of these scams is far greater than ever.
Hackers are Using Algorithmic Tools to Generate Fake Domains
The sharp increase in IRS phishing scams is down to malicious actors using new tactics to target more people, the IRS explained. Hackers are using algorithms to create large numbers of fraudulent domains. The IRS said hackers used just three dozen stolen or fake email addresses to create over 1,000 fraudulent domains in a recent campaign. “This is phishing on an industrial scale so thousands of people can be at risk of receiving these scam messages,” IRS Commissioner Chuck Rettig said. “In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity.” Scammers are putting in a lot of effort to make their phishing messages appear more legitimate. Apart from sending realistic emails and text messages, phishing websites have become nearly indistinguishable from the legitimate sites they’re spoofing. This way, a potential victim is less likely to notice anything suspicious. Earlier this month, we reported on how malicious actors created a realistic-looking Steam pop-up login page to target gamers and steal their credentials. In another campaign we reported in July, scammers used a fake PayPal login page to carry out identity theft.
IRS Urges Taxpayers to Watch out for Suspicious Messages
There are several steps you can take to protect yourself and help the IRS tackle these rampant phishing scams. For starters, it is important to treat suspicious-looking text messages with caution. The IRS noted that it does not send emails or text messages asking for your personal or financial information. Therefore, if you receive any messages purported to be from the IRS or the U.S. Treasury asking for these details, forward them to phishing@irs.gov. “Particularly in these cases, the best offense is a good defense,” Rettig said. “Taxpayers and tax pros need to remain constantly vigilant with suspicious IRS-related emails and text messages. And if you get one, sending the IRS important details from the text can help us disrupt the scams and protect others.” Check out our in-depth articles on phishing and social engineering to learn more about how these scams work, how to spot them, and how to protect yourself.
