How to Spot Scams That Mimic the IRS or Charities

Fraud is a year-round activity, but tax season brings an uptick in calculated schemes to steal money and personal information through spoofed messages and other means. Cybersecurity firms have also reported an increase in fraud attempts that exploit the conflict in Ukraine — a situation that has increased fears of potential cyberattacks on American companies through ransomware and other malicious software. You can better protect yourself if you know what’s out there. Here’s a guide.

Avoid the Tax Scam

The Internal Revenue Service doesn’t make first contact with taxpayers by email, text messages or social media channels to request personal and financial information — including bank-account or credit-card numbers, passwords or PIN codes. Messages asking for that information are deceptive “phishing” attempts to steal money and identities.

If the I.R.S. needs your attention, it starts with a notice by regular mail via the United States Postal Service in most cases.

The I.R.S. will not send unexpected messages about auditing returns, sending stimulus payments, collecting your taxes or “canceling your Social Security number.” An I.R.S. representative may call or visit when a taxpayer has an overdue bill or has other tax-related issues. But even then, written notification is typically sent first, according to the agency.

An obviously spoofed sender line is just one of many clues that this email is not from the Internal Revenue Service, which is frequently impersonated by fraudsters in Covid-relief and spring tax-filing scams.Credit…no

Scam telephone calls and voice messages using spoofed agency numbers and forged I.R.S. agent identification are common. Again, the agency typically first sends a notice by mail. It does not call unexpectedly to discuss tax refunds, threaten arrest by local law enforcement or demand immediate payment in a specific form. Tax bills are paid to the U.S. Treasury and not directly to “agents” requiring funds in iTunes or Amazon gift cards, prepaid debit cards, electronic cash or wire transfer.

The Tax Scams/Consumer Alerts page on the official site has a lengthy list of current and classic scams. And the site has a guide for verifying real I.R.S. agents and identifying legitimate debt collectors.

Donate Wisely

Opportunistic scammers are quick to take advantage of natural disasters and humanitarian crises, including the Covid-19 pandemic and the war in Ukraine. Be leery of messages from unfamiliar organizations requesting donations by credit card or cryptocurrency — or purporting to be from refugees or members of the military. Crowdfunding campaigns should be avoided or heavily scrutinized unless you know the organizer.

Most browsers have a setting to warn you about malicious websites, but always research the charities you’re considering. Google Chrome, shown here, has an “enhanced” browsing-safety option.Credit…Google

If you want to donate but aren’t sure where, assessment sites like CharityWatch and Charity Navigator have guides for where your contribution can help the most. The Opinion section of The New York Times has suggestions for humanitarian aid in Ukraine — including Direct Relief, Mercy Corps, International Medical Corps and Save the Children.

And when you do find a preferred charity’s site, check the URL carefully. Scammers use “typosquatting” (registering a purposely misspelled domain name close to a legitimate site’s address) in the hope that bad typists will inadvertently land on their malicious pages.

Report a Scam Attempt

If you get unsolicited email pretending to be from the I.R.S., you can report it by forwarding the message to [email protected] The Treasury Inspector General for Tax Administration has a hotline to report tax-related fraud attempts at 800-366-4484; the department has a portal page for complaints.

Gmail, shown here, and Outlook include menu options for quickly reporting (and eventually blocking) spam and phishing messages.Credit…Google

You can make a general fraud report on the Federal Trade Commission’s site.

Gmail and include menus to report phishing attempts, while Yahoo has a form to fill out.

Be warned, though: If you get taken in by a scam involving a Zelle money transfer, your bank may not back you up if you authorized the transaction.

Be Wary

As the Federal Trade Commission notes, the common signs of a scam usually include someone who impersonates a familiar organization and tells you there’s a problem (or, sometimes, a prize). The scammer pressures you to act immediately and demands payment in a specific way.

Most fraud attempts are easy to spot. Typo-laden messages, impersonal “official correspondence” from Gmail and Yahoo accounts, and voice mail messages left in robotic computer speech are instant red flags. Fake invoices and forged PayPal notices remain popular phishing lures.

You can avoid many phishing lures by fine-tuning your mail program’s junk filters and blocking unwanted calls and text senders. Let unknown callers go to voice mail. Wirecutter, a Times-owned site, has a guide to fighting spam calls.

Make sure your browser is set to block pop-up messages and warn about malicious sites. Don’t install apps from unknown developers, and keep antivirus software enabled on your computer. If spam gets through, don’t call the number and don’t open the attachment — it’s likely to be malware. If you have concerns about an account, open your browser and go to the company’s website, avoiding links in messages.

If you don’t already block unknown callers, voice mail systems that can transcribe messages (like the iPhone, shown here, and Google Voice) give you the option to skip the call and check for spam (and scams) later.Credit…Apple

The Consumer Financial Protection Bureau’s site has detailed page on frauds and scams currently going around. And even if you’ve been practicing safe computing for years, you probably have a friend or relative who isn’t as tech savvy — and could use your help.