Tips & Advice

3 security pitfalls to beware of this tax season

Jennifer McEwen 15 Feb 2021

Tips for filing your taxes safely and securely

The time of the year that we know and love has rolled around again — it’s tax season. In addition to the headaches that come along with filing one’s taxes, there are a number of security risks that some taxpayers might not be aware of.

The truth is that the materials and processes required for filing taxes are opportune for cybercriminals, as they leave room distributing niche, tax-related scams. Here are three examples of these scams and security risks, plus ways to avoid them while you file your taxes this year.

1. Ghost tax preparers

A ghost tax preparer is someone who will prepare your taxes, but refuse to sign the return. By law, anyone who is paid to prepare or assists in preparing federal tax returns must sign and include their preparer’s tax identification number (PTIN). Instead, ghost tax preparers will print the return and get the taxpayer to sign and mail it, or they will refuse to digitally sign e-filed returns, often because they don’t want to be responsible for the consequences. This unethical practice exposes you to a frightening array of problems. And should those problems lead to an audit, the ghost tax preparer is long gone, leaving you, the taxpayer, to brave it on your own.

How to avoid being scammed

It’s important to remember that ultimately you are responsible for all the information on your tax return, no matter who prepares it. So make sure you choose your preparer wisely. 

  • Check the preparer’s qualifications. You can search the IRS directory to find preparers with credentials and qualifications recognized by the IRS. 

  • Review before signing. Always review the tax return before your tax preparer signs and files. If it checks out, make sure the preparer signs and includes their PTIN.

  • Never sign a blank return. If your tax preparer asks you to sign the return they’ve prepared, run for the hills. But first, report them to the IRS.

  • E-file. Filing your return electronically is the fastest way to get your refund if you have one due. To ensure that you get your tax filing done safely and securely, we recommend checking out TurboTax. TurboTax provides a team of tax experts that are guaranteed to help you get your maximum tax refund.

2. W-2 phishing scams

Phishing is a tactic cyber criminals use to trick you into giving them your sensitive information such as usernames, passwords or credit card numbers by impersonating a trustworthy and reputable company or individual. 

In a W-2 phishing campaign, attackers pose as someone high up in a company or organization, like the CEO, executive, or school principal. They then send emails to employees asking for copies of W-2 forms, which include all the personal information you need to file a tax return. Many of these phishing emails start with a friendly greeting before getting to the request, putting employees at ease before asking for the forms.

How to avoid being scammed

Don’t respond to emails, calls, or texts asking for your information. If you work for a company, never send W-2 or other tax information electronically without first verifying with your boss in person or on the phone that they actually sent the request in the first place. While it might seem like more of a hassle, it’s worth taking the extra precaution, as the likelihood of this type of attack increases during tax season.

3. IRS phishing scams

In an IRS phishing attack, the recipient will typically receive an “urgent” email claiming to be from the IRS with instructions to follow a link and fill out a form. There are many tactics to entice the receiver to click, such as:

  • The IRS needs you to update your online profile
  • You qualify for a refund
  • A notice that your credit card was fraudulently used, but you can recover some of the money
  • You’re due a large sum of lottery money, tax refund, or inheritance

In both phishing cases, look out for generic greetings (instead of your name), poor grammar or typos, conflicting web addresses, and web addresses for known businesses that are slightly off.

How to avoid being scammed

Don’t click, download or reply.  As a rule of thumb, don’t click on links in emails from the IRS. That’s because the real IRS doesn’t initiate contact with Americans via email, text, or social media.

Avast Secure Browser’s Anti-Phishing solution in the desktop browser is the first line of defense against malicious threats when browsing the internet. Our new technology outperforms other anti-phishing modules in other browsers.

This new technology leverages Avast’s best-in-class threat detection by keeping you safe by preventing access to phishing and other malicious webpages as well as downloads. We make sure that the visited website is not malicious and check if it's legitimate. On top of that, you can open Bank Mode to ensure you have even a safer connection as it will make a virtual desktop to protect you against injection of malicious scripts, keystroke logging, and screenshot attempts by third-party apps.


Further reading: A tale of two phishes: coronavirus safety and W-9 forms


Bonus tips

Use a VPN on public Wi-Fi: Keep all your data as private as possible by using a virtual private network (VPN), like the one built into Avast Secure Browserespecially if you’re connecting to a public Wi-Fi on your mobile device. A VPN encrypts all of your internet traffic, ensuring that no one (like thieves trying to steal your tax information) can see the personal information you’re sending online. Want to use a VPN on more than just your mobile browser? Avast SecureLine VPN is your solution!  

Make sure the website you’re visiting uses SSL (Secure Sockets Layer) encryption: The URL will begin with https, not http. That means the site is encrypted and secure.

Update your software: Don’t ignore software updates. Make sure all your devices and the software on them are up-to-date and protected against threats. Software updates often contain “patches” that correct security holes the company has detected. As a result, outdated software leaves you open to attack.

Use strong passwords: Keep your own security as tight as possible with strong passwords that are each unique to their own accounts. Additionally, use multi-factor authentication whenever possible. This combination of strong password and multi-factor authentication is like using a lock and a deadbolt: They’re effective on their own, but you’re much safer with both than with one.