The Internal Revenue Service (IRS) warned Americans of an exponential rise in IRS-themed text message phishing attacks trying to steal their financial and personal information in the last few weeks. “So far in 2022, the IRS has identified and reported thousands of fraudulent domains tied to multiple MMS/SMS/text scams (known as smishing) targeting taxpayers,” the IRS warned. Such scam texts redirect U.S. taxpayers to phishing landing pages designed to collect sensitive information using various baits (e.g., unpaid bills, bank account problems, or law enforcement actions). For instance, the sender of phishing text messages can be spoofed to make it appear that they’re someone the targets are more likely to trust, such as U.S. government agencies like the IRS. Some of the most convincing and devious lures in SMS phishing are links that send the targets to pages impersonating bank sites and ask to verify a purchase or unlock frozen credit cards. While some of the attackers behind these phishing campaigns focus on stealing payment details, others are not picky and will be happy to harvest any personal info they can get to use in various other scams or to sell to others. “This is phishing on an industrial scale so thousands of people can be at risk of receiving these scam messages,” said IRS Commissioner Chuck Rettig. “In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity.”
Analyst Notes
The FCC shared the following list of measures to help defend against SMS phishing attacks: Do not respond to texts from unknown numbers or any others that appear suspicious, never share sensitive personal or financial information by text, be on the lookout for misspellings or texts that originate with an email address, think twice before clicking any links in a text message. If a friend sends a text with a suspicious link that seems out of character, call them to ensure they weren’t hacked; if a business sends an unexpected text, look up their number online and call them back; remember that government agencies almost never initiate contact by phone or text.
It is recommended that anyone who has fallen victim to an IRS-themed texting scam should report it to the IRS by emailing the sender’s information and the message body to [email protected].
