Skip to content
Naked Security Naked Security

IRS reports 400% increase in phishing & malware in the past 12 months

Just a month into US tax-filing season, and the year's 1,389 incidents have already topped the 2014 yearly total.

It’s tax season in the US. That means it’s also fraud season.

The US tax-filing season has only been under way for a month, but already the Internal Revenue Service is warning that it’s seen a 400% surge in phishing and malware compared with the previous tax year.

US taxpayers have been able to submit returns for the 2015 tax year as early as 19 January 2016. The deadline to file taxes is 18 April 2016.

That’s nearly two months away.

Accordingly, many of us are studiously averting our gazes from teetering piles of paperwork heaped on our dining room tables.

But fraudsters aren’t procrastinating. As the IRS has found, they’re getting a head start in their attempts to tackle our financial data.

The IRS warned on Thursday that it’s already seen a “dramatic” increase in official-looking text and email messages stuffed into inboxes.

The phishing messages are asking taxpayers about a wide range of sensitive information, including data related to refunds, filing status, confirmation of personal information, transcript orders and PIN verifications.

The messages are rigged to look official, as if they came from the IRS itself or from others in the tax industry, such as tax software companies.

The phishing attempts are being seen in every part of the country, the IRS says.

Fraudsters are in particular looking for information they can use to file bogus tax returns.

Clicking on their links whisks people off to sites rigged to look like official websites. Those sites ask for US taxpayer numbers, known as Social Security Numbers (SSNs), along with other personal data.

Besides phishing for such information, some of the sites are also boobytrapped with malware.

For example, some of the sites download keyloggers that record everything a victim types, including login details, and report it all back to a scammer.

Some specific numbers relating to what the IRS is seeing for phishing and malware incidents combined:

  • There were 1,026 incidents reported in January, up from 254 from a year earlier.
  • The trend continued in February, nearly doubling the reported number of incidents compared to a year ago.
  • In all, 363 incidents were reported from 1-16 February, compared to the 201 incidents reported for the entire month of February 2015.
  • This year’s 1,389 incidents have already topped the 2014 yearly total of 1,361, and they’re halfway to matching the 2015 total of 2,748.

The IRS says that software companies, tax pros and state revenue departments have seen variations in the schemes, including phishing scams going after their online credentials to IRS services such as the IRS Tax Professional PTIN System.

We’ve also seen multiple versions of refund fraud in recent years, including automated attacks from crooks who’ve gone out of their way to get access to innocent users’ online tax submission accounts.

In May 2015, crooks used an online IRS system called Get Transcript to probe for taxpayers’ personal information that they could then use in refund fraud.

That system didn’t actually have anything to do with the system used to file taxes or get refunds. Rather, it was a reference portal used for retrieving returns from past years.

But that’s just what crooks needed to file fraudulent returns for this year.

They struck again with that type of attack a few weeks ago, with a PIN-stealing attack on the IRS that affected 100,000 taxpayers.

This time, the crooks used a list of known SSNs to try to get access to the IRS’s Get My Electronic Filing PIN portal.

How to spot tax phishers

If you get an unsolicited message that’s purportedly from the IRS or an associated organization, be suspicious.

The IRS generally doesn’t initiate contact with taxpayers by email, text or social media to request personal or financial information, the agency stressed.

These official-looking electronic communications often ask taxpayers to update important information by clicking on a link. Those links may be masked to appear like they’re linked to official pages, but they’re just heading for trouble. Don’t click on them.

These are some of the subject lines and requests the IRS is seeing in these scams:

  • Confirm your personal information.
  • Get my IP PIN.
  • Get my E-file PIN.
  • Order a transcript.
  • Complete your tax return information.
  • Variations about people’s tax refunds.
  • Update your filing details, which can include references to W-2.

You can report these scams by sending the messages to

Image of Phishing courtesy of


Well/placed commonsensical warning HOWEVER the headline is very misleading, rather like the worst British tabloid journalism. Do the math!!! How many reports are involved. Look at the actual numbers, not some explosive misleading percentage figure. Second, if you like percentages, what is the percentage of actual returns filed during the same period. In brief, the warning about any hacking and phishing is welcome, but don’t get silly!


I think the headline is perfectly reasonable. The IRS did indeed “report a 400% increase,” as you will see if you read the report we link to. It’s in the IRS’s very first sentence, in fact.

Remember that the “%” sign means simply “/100” (that’s where the stroke and the little zeros in the ligature come from, by the way), so 400% is the same as writing 4, and “a 400% increase” is the same as writing “four times as many”. And that’s indeed what the arithmetic (it’s not really mathematics) suggests: 1024 reports in January compared to 254 a year ago, and 1024/254 is just a shade over 4. That’s “four times as many.”

Similarly, six weeks in 2016 has given 1389 incidents, which is about 230/week. 52 weeks in 2015 produced 2748, about 50 per week. Which is just over “a 400% increase.” For what it’s worth, 2015’s total incidents showed a 200% increase over 2014.

I get your point that the percentage of all returns filed in January this year may end up higher than last year, thus front-loading the fraud attempts, but I think that the “fourfold increase” is a reasonable claim for the IRS to have made, and for us to have reported that it made, if you look at the actual numbers.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!