Tax Scams Still a Threat During COVID-19 Pandemic

January 23, 2021

With the new year under way, tax season is fast approaching. And with that comes more opportunity for scammers and cyber criminals looking to con businesses and individuals. These unscrupulous actors are looking for sensitive information that can be used to steal your identity or gain access into your business’s data systems. Although we are still in the midst of the COVID-19 pandemic, the threat this tax season remains and is likely even more concerning as businesses continue to operate remotely and employees work from home on unprotected networks.

Tax Scams: Keep Your Guard Up

Typically, a scammer looking for sensitive information under the guise of the IRS will call individuals to threaten penalties, demand money for back taxes, or to confirm personal information. The IRS will never call. Nor will the IRS try to reach out to you via email, social media or other internet channels. The IRS has detailed its “Dirty Dozen” of tax scams to be on the lookout for in in 2020, which should serve as additional guidance in 2021 as well. Scammers may also attempt to email documents containing malware to employees. The scammer may state that the documents are tax transcripts or other important documents in the hopes that the employee will download the document, which will allow the scammers access to the business’s information.

Scam Emails Can Be Difficult to Distinguish From Legitimate Emails

However, scam emails can be difficult to decipher at first. Generally, the email will appear legitimate and come from someone posing as a person within a business, usually as a payroll or human resources employee. Over the course of a few quick emails, the employee may download harmful documents or volunteer sensitive information, including an employer’s identification number or employees’ W-2 forms, social security number, and other personal information.


The IRS is warning taxpayers about scams related to the recent $600 stimulus payments issued by the federal government, as well as other scams connected to the upcoming tax filing season. While the methods vary and can include text messages, emails, phone calls and social media, the schemes are designed to steal either money or personal information from victims. Most taxpayers have already received their stimulus payments via direct deposit, but fraud experts warn those who have not yet gotten their payments are particularly vulnerable to scams promising additional money or expedited delivery.

COVID-19 scams should be reported to the National Center for Disaster Fraud Hotline at 1-866-720-5721.

How to Avoid Falling for Tax Scams

One way to avoid a scammer that leads into a cyberattack on your business is to educate your employees. Ensure that all employees remain vigilant and treat emails with scrutiny. Remind your employees to never send personally identifiable information over email, even if the email appears to come from within the organization. And, in the event that someone does attempt to scam your employees, be sure that everyone knows who to contact. Encourage your employees to err on the side of caution and call for confirmation.

What to Do if a Data Breach Occurs

If a data breach does occur, be sure to understand your requirements under your state’s data breach laws. Each state may have different procedures for alerting those who’s information may be compromised. Ohio’s Data Breach Notification Law requires all businesses to promptly investigate a suspected data breach and notify potential victims within 45 days. Although a cyber criminal can cause serious harm within a matter of hours, it is important to fully comply with data breach laws to avoid fines or other penalties for failing to comply.

Taxpayers who receive unsolicited emails or attempts to obtain information via social media that appear to be from either the IRS or an organization linked to the IRS should forward the message to phishing@irs.gov. More information about scams related to COVID-19 and other financial schemes can be found by visiting IRS.gov.

To protect your business’s data or comply with laws after a data breach, or to learn more, please reach out to Cybersecurity, Data Breach & Privacy Chair Mark Rasch (mdr@kjk.com; 301.547.6925) or Tax Chair Kevin O’Connor (kto@kjk.com; 216.736.7213).

KJK publications are intended for general information purposes only and should not be construed as legal advice on any specific facts or circumstances. All articles published by KJK state the personal views of the authors. This publication may not be quoted or referred without our prior written consent. To request reprint permission for any of our publications, please use the “Contact Us” form located on this website. The mailing of our publications is not intended to create, and receipt of them does not constitute, an attorney-client relationship. The views set forth therein are the personal views of the author and do not necessarily reflect those of KJK.