Newsletter Phishing Social Engineering Taxes

Keep Your Information Secure This Tax Season

Tax season is here again, and as always, that means internet scammers are looking for openings to take advantage of heightened online traffic. According to IRS Commissioner Chuck Rettig, “This is generally the hunting season for online thieves, but this year there’s a dangerous combination of factors at play that should make people more alert” (IR-2020-265). These factors include trends of increased online shopping and remote work and uncertainties surrounding tax filing and COVID stimulus payments. Specifically, the Federal Bureau of Investigation has issued warnings about scams related to taxes, antibody testing, healthcare fraud, and cryptocurrency. Capitalizing on upheavals and uncertainties, criminal opportunists use social engineering strategies (i.e., manipulation strategies that rely on fear, uncertainty, and other emotions) to trick their victims into hastily offering up personal information such as passwords, bank account numbers, credit card numbers, or social security numbers. Please be aware that “the IRS will not call, text or email about your Economic Impact Payment or your tax refund. Nor will the IRS call with threats of jail or lawsuits over unpaid taxes. Those are scams” (IR-2020-265).

As you prepare for the tax-filing deadline, please remain vigilant against attackers who will likely be more active than usual during tax season. Protect yourself from phishing attempts and other cybercrimes by following the recommendations below.

  • Be Tough 

Cybercriminals will attempt to manipulate victims using social engineering. They may try to induce panic in their victim by making threats of lawsuits or jail time, or they may try to impersonate a trusted individual to make their claims more believable. Don’t fall for it! Stay calm and skeptical. Be sure to verify the authenticity of the request by contacting the individual or institution directly through a known channel (e.g., call the IRS by finding publicly available contact information at; contact your dean or other leadership directly at the office phone number listed in the directory).

  • Don’t Click

Don’t download software from popups, emailed links, or emailed attachments. If an email seems suspicious, delete it and notify our office at 

  • Stay Up to Date 

Use security software on your devices and keep all software up to date. Software updates often include critical security patches. 

  • Lock it Down

Use strong and unique passwords for every online account and consider using a password manager. 

  • Bolster Security with Multifactor Authentication 

Use multifactor authentication whenever possible. Once you’ve activated multifactor authentication on your account, login attempts on new/unknown devices will face an authorization check (i.e., an approval request or a one-time use code) from your smartphone or another registered device. Without your approval or the one-time use code, a password thief can’t get into your account.

  • Keep Criminals Guessing

Regularly update your passwords. Update compromised passwords immediately. 

  • Protect Your Private Information 

Never give out your passwords, credit card information, Social Security number, or other private information through email or other potentially insecure channels. If it seems like an unusual or risky request, it probably is.  

  • Be Careful on Public Wi-Fi 

Cybercriminals can eavesdrop on your online activity on unsecured Wi-Fi networks, so avoid shopping or transferring sensitive personal information on unsecured public networks (e.g., at the mall or coffee shop, when no password is required to get on the network).

  • Button Up Your Home Network

Secure your home Wi-Fi with a password. Securing your home Wi-Fi becomes more and more important as you add devices to your network (e.g., a wireless printer, smart locks, wireless thermometer), as each device can be an access point for cybercriminals. 

  • Use Secure Websites

Always check if you are on a secure website before giving out private information. You can determine whether a website is secure by looking for the “https://” rather than just “http://” in the Web address bar or for the small lock icon in the Internet browser.

Unfortunately, some criminals can also use SSL certificates to produce fake websites that include ‘https’ and the lock icon in your browser. You should NEVER transmit any critical information via a website without ‘https’ and the lock icon, but that does not mean that you can trust every site that does have ‘https’ and the lock icon. Any site requesting important information should be vetted for authenticity, even when the ‘https’ and the lock icon are present.

  • Pay Attention to Security Prompts

If your browser cannot validate the authenticity of the website’s security certificate, you will be prompted. This is frequently a telltale sign of fraud, and it would be an excellent time to pick up the phone or report a suspicious message.

  • Keep Track of Your Data

Regularly log onto your online accounts and check your credit report to verify that the reported transactions are legitimate. 

  • Backup Your Data 

Backup files on your computer and mobile phone using a password-protected cloud service or an external hard-drive so that you can recover important data.

  • Follow IRS Consumer Alerts 

You can find additional information about avoiding tax-related scams on the IRS Consumer Alerts page:

  • Stay in the Know

Visit the Information Security Office Alerts page often and follow us on Twitter to get the latest WashU Information Security Alerts.

Please exercise extreme caution with emails requesting personal information. Refrain from opening attachments or following links in emails purporting to be tax-related. If you think you have received a phishing message, please forward the message to immediately, and our experts will evaluate its authenticity. For general information security questions and concerns, please email us at

Thank you for all that you do to help keep our institution secure.