Tax season has become open hunting ground for cybercriminals, and the targets are not just accountants and big firms but ordinary filers trying to submit a return. Hackers know that people are rushing to upload W‑2s, answer emails from preparers, and respond to what look like urgent messages about refunds or penalties, and they are exploiting that pressure with increasingly polished scams. If I want to keep my refund and my identity safe, I need to recognize the warning signs that separate a legitimate tax contact from a hacker’s trap.
The patterns are consistent: criminals impersonate the Internal Revenue Service, pose as new clients or tax pros, and weaponize texts, emails, and fake portals to steal Social Security numbers and bank details. The red flags are visible once I know where to look, from payment demands in gift cards to “urgent” texts about a blocked refund, and the latest guidance from tax authorities and security experts offers a clear checklist of what to ignore and what to verify.
Hackers are following the money into tax season
Tax filing is a perfect storm for cybercrime because it concentrates sensitive data, tight deadlines, and widespread confusion about complex rules. The IRS expects more than 146 m individual returns in a typical season, which means hundreds of millions of W‑2s, 1099s, and bank account numbers moving through email, cloud drives, and tax software. Hackers know that if they can compromise even a small slice of that traffic, they can file fake returns, redirect refunds, or sell identity profiles on criminal markets.
Security researchers and tax officials describe a shift from broad, sloppy spam to targeted attacks that mimic real workflows. Criminals are not just blasting out generic “you owe the IRS” messages, they are crafting spear phishing emails that look like they come from a known preparer, or “new client” inquiries that trick tax pros into opening malware. The IRS has folded these tactics into its annual Dirty Dozen list of threats, underscoring that the danger is not theoretical but a recurring pattern that peaks every filing season.
Phishing, smishing and fake IRS messages
The most common doorway for hackers is still a message that looks like it comes from the government or a trusted institution. I see this in classic phishing emails that copy IRS logos and fonts, as well as “smishing” texts that claim my refund is delayed or my account is locked. Security analysts describe Common IRS Scams that use Smishing and SMS Phishing Text messages with lines like “You are owed additional tax credits” or “Your stimulus payment is on hold,” all designed to make me tap a malicious link without thinking.
These messages often push me to click through to a fake portal that asks for my Social Security number, bank login, or driver’s license photo, or they attach a file that quietly installs malware. The IRS itself stresses that it does not initiate contact with taxpayers through random Email, text and social media blasts, and that The IRS will not send unsolicited messages promising “tax credits” or “stimulus payments” with embedded links. When I see a message that combines urgency, a promise of money, and a demand to click, I am almost certainly looking at a hacker’s lure, not a real tax notice.
“Dirty Dozen” scams and the new client con
Every year, the IRS compiles a Dirty Dozen list of the most dangerous tax schemes, and the 2025 version reads like a blueprint for how hackers operate. The agency warns that criminals are using Dirty Dozen tactics such as phishing, smishing, and social media scams to pose as helpful advisers, only to harvest data or push bogus refund claims. These schemes can hit me directly as a taxpayer or indirectly through my preparer, who may be tricked into exposing entire client lists.
One standout threat is the “new client” spear phishing scam, where attackers email tax professionals pretending to be prospective customers who need help with a complex return. The messages often include attachments labeled as W‑2s or prior returns that actually contain malware, and the IRS notes that Spear Phishing is The Primary Attack Vector in these cases. If my preparer’s system is compromised, hackers can quietly pull my W‑2s, bank details, and Social Security number, then use that data to file fraudulent returns long before I realize anything is wrong.
Red flags in emails, texts and phone calls
Most tax scams share a handful of telltale signs, and learning them is one of the fastest ways I can protect myself. The IRS and consumer watchdogs highlight patterns like threats of arrest, demands for immediate payment, and requests for unusual methods such as gift cards or cryptocurrency. In one advisory, officials in INDIANAPOLIS warned that Common Signs of a Tax scam include callers who claim to be from The Internal Revenue Service but insist on payment through wire transfers or prepaid cards, something the real IRS does not do.
Language and formatting are another giveaway. Messages may use generic greetings, awkward phrasing, or slightly misspelled domains that mimic real institutions, a pattern security experts describe when they warn about Generic greetings and odd word usage in emails that target W‑2 data. If someone pressures me to act immediately, refuses to let me hang up or log off to verify the request, or becomes aggressive when I ask to call back using a published IRS number, I am almost certainly dealing with a scammer, not a legitimate tax official.
When the “tax pro” is the problem
Not every threat comes from a stranger on the internet; sometimes the danger is the person I hire to prepare my return. Most tax preparers provide outstanding and professional service, but the IRS warns that Unscrupulous preparers can inflate refunds, invent credits, or steal identities, and that Most practitioners are honest while However some use the system to exploit clients. A fake preparer might promise an unusually large refund, base their fee on a percentage of that refund, or refuse to sign the return, all of which are red flags that my information could be misused.
Cybercriminals also target legitimate tax pros because compromising one office can expose hundreds of clients at once. Security coalitions have warned that Receiving a duplicate email from what appears to be a known trusted source that contains a new attachment or hyperlink is a classic sign that a preparer’s account has been hijacked, and that Receiving a message with a sudden request for client data or password resets should trigger suspicion. If my preparer suddenly changes their email address, asks me to resend documents through an unfamiliar link, or starts using unsecured channels like plain-text email for W‑2s, I should pause and confirm by phone or in person before sending anything.
Identity theft warning signs in your tax life
By the time I see money missing from my bank account, a tax scam may already be far advanced, so I need to watch for earlier clues in my tax records. The IRS identity theft guidance lists specific Warning signs, urging me to Watch for notices about returns I did not file, refunds I did not request, or income tied to my Social Security number that I did not earn or expect. If I try to e‑file and the system says a return has already been submitted under my Social Security, that is a major red flag that someone has used my identity.
Other clues show up outside the tax system but still point to trouble. Unexpected mail about new accounts, sudden changes to my online tax transcript, or alerts from my employer about a payroll data breach can all signal that my information is in circulation. The IRS notes that unusual activity with my Social Security records, such as benefits statements that do not match my work history, should prompt me to check both my tax account and my credit reports. The earlier I spot these anomalies, the better my chances of blocking fraudulent refunds before they are paid out.
How to tell a real IRS contact from a fake one
One of the most confusing parts of tax season is figuring out whether a letter, call, or email is actually from the government. The IRS has tried to simplify this by explaining that it typically starts with mailed notices and does not use surprise phone calls or aggressive collection tactics as a first step. Officials emphasize that if I receive a suspicious message, I can Log in to my secure IRS Online Account to see if the letter or notice is in their file, which gives me a direct way to verify whether a communication is legitimate.
There are also clear rules about what the agency will not do. The IRS explains that it does not initiate contact through random social media messages and that Some common electronic scams involve fake refunds, credits, or stimulus payments that try to lure me into clicking a link or sharing data. Guidance on how to Recognize tax scams and fraud stresses that Scammers mislead me about Tax refunds, credits and payments, and that They pressure me for personal and financial information or push me to open attachments that may harm my computer. If a message breaks these rules, I should treat it as a scam until proven otherwise.
Why tax pros are prime hacker targets
From a hacker’s perspective, a tax office is a gold mine: one compromised inbox can expose years of returns, bank routing numbers, and dependent information for hundreds of households. Cybersecurity specialists describe how Phishing Scams Targeting Tax Professionals use Hackers posing as potential clients who send realistic-looking attachments or links, hoping the preparer will open them on a network that stores sensitive data. Once inside, attackers can quietly copy W‑2s, change direct deposit details on filed returns, or plant ransomware that locks up an entire practice at the height of filing season.
The IRS has noted that in 2025 it continues to see the “new client” scam, where criminals send spear phishing emails that look like routine business inquiries. Payroll and HR platforms warn that the IRS is tracking these attacks because they often lead to large-scale theft of W‑2 data, which can then be used to file fraudulent returns or commit workplace identity theft. If I am a client, I should not be shy about asking my preparer how they secure email, whether they use multi-factor authentication, and how they will contact me if there is a suspected breach, because their defenses are effectively my first line of protection too.
Everyday steps to protect your return and refund
Even without a technical background, I can make myself a much harder target by changing a few habits during tax season. Security experts urge filers to Think before they click and to Look out for tax scams and phishing, especially when Cybercriminals impersonate the IRS, tax preparers, and financial institutions. That means typing official web addresses directly into my browser instead of following links, using strong and unique passwords for tax software, and enabling multi-factor authentication wherever it is offered.
It also helps to file early, so there is less time for a criminal to submit a fake return in my name, and to send documents through secure portals instead of regular email. Consumer alerts urge me to be on the Alert for Tax Scams, noting that it does not matter whether I owe money to the IRS or am expecting a refund, scammers will target me either way and may Threaten to have me arrested if I do not comply. By freezing my credit if I suspect identity theft, monitoring my bank and card statements closely during filing season, and using official channels like the IRS Online Account to verify any unexpected notices, I can dramatically cut the odds that a hacker turns my tax return into their payday.
How to respond if you spot a scam
Recognizing a red flag is only half the battle; what I do next can limit the damage and help authorities track patterns. If I receive a suspicious email or text, the safest move is not to reply, not to click, and not to open attachments. Instead, I can forward phishing emails that impersonate the IRS to the agency’s dedicated reporting address and then delete them from my inbox and trash. Guidance on Common Tax Scams to Watch Out For stresses that Phishing Emails and Text Messages from Scammers who impersonate the IRS should be treated as evidence, not as conversations, and that I should never confirm personal details in response.
If I suspect that someone has already filed a return in my name or that my Social Security number is compromised, I should contact the IRS directly using published phone numbers or my online account, then follow the identity theft procedures they outline. The agency’s guidance on how Scammers operate notes that They often pressure victims to stay on the line or keep clicking, so breaking contact and switching to verified channels is critical. I should also alert my tax preparer, my bank, and the major credit bureaus, because coordinated action across those institutions can stop fraudulent refunds, block new accounts, and flag my file for extra verification in future tax years.
More from MorningOverview