Incognito — March 2025: Tax Related Scams

Welcome to the March 2025 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Tax-related scams. They’re particularly common this time of year. Here’s what to look out for. 
• Recommended reads, including “DOJ to Appeal Ruling That Bans Broad Cell Tower Searches.”
• Q&A: Do cars have privacy policies?

It’s Tax Scam Warning Season

Every year, around this time, you’re likely to start seeing warnings about tax scams. 

And for good reason. Nearly half (48%) of people say they’ve received a fake IRS message via email, text, phone, or social media. 

We always pay attention to the IRS’s annual “Dirty Dozen” list, which lists the kinds of tax scams and fraud attempts that taxpayers can expect to encounter right now. 

Here are a few highlights from this year’s list:

• Phishing scams are still popular. These scams use messages that appear to come from the IRS to trick people into giving out personal or financial information. 
• Fake IRS account help. Scammers pretending to be “helpful” third parties to assist in setting up an IRS Individual Online Account, even though the IRS provides all necessary sign-up information on its website. Their goal? To steal your personal data and file fraudulent tax returns in your name.
• Tax pros under attack. Criminals are targeting tax professionals through “new client” scams and spear phishing. Scammers pose as potential new clients and send fraudulent emails. Once the tax professional responds, the scammer follows up with a malicious attachment or URL, which can compromise computer systems and allow unauthorized access to sensitive client information.

Good to know. Scams pretending to be tax preparation services have also become scarily common. 33% of people now say they or someone they know was targeted with a fake text/email from a tax preparation service, such as TurboTax or H&R Block, urging them to click on a link and log in.

Real-life example: The IRS subreddit is a great place to see what tax scams are going around, like this scam text. Notice how the text was sent from the email address qiaocouxi1975chehaohuan_xieyedao@hotmail.com (big red flag). 

Were you targeted with fake “IRS” communications? You can report them by following the instructions on this page. 

What’s New In Tax Fraud? 

Artificial intelligence (AI).

We’re seeing real-life reports of criminals using AI to pull off voice scams that impersonate either tax professionals or IRS agents. 

• Good to know: The IRS will always mail a letter or notice before calling or emailing you. If you didn’t get a letter from the IRS, the call/email/text “from the IRS” is fake. 

At a more basic level, AI helps scammers during tax season by:

1. Making it quicker and easier to find your personal information (email address, employment status, etc.). 
2. Writing more convincing (e.g., perfect grammar and spelling) phishing texts, emails, etc. 

In a recent Harvard study, AI-powered tools gathered accurate and useful information about phishing targets in 88% of cases. 

Also: Depending on where you live and your situation, you may be targeted with property tax scams. Here, scammers go after individuals dealing with financial stress, attempting to trick them into signing over their property, making payments to fake government representatives, etc.

Don’t Let Them Steal Your Identity 

Tax season also provides a window of opportunity for identity thieves. 

In 2023, the IRS flagged 1+ million tax returns for identity theft. Each of those flagged returns potentially represents a taxpayer’s identity that criminals tried to use for a fake refund. 

Since many people wait until closer to the deadline to file their taxes, scammers can file fraudulent tax returns first and claim refunds, which are often processed quickly by the IRS. This allows them to receive money before you – the legitimate taxpayer – even file your return.

Victims often discover they have been targeted only when they receive a notice from the IRS saying there’s been a problem with their return, such as a duplicate filing. 

Identity theft resolution is slow. Victims wait an average of 18+ months for the full resolution of their tax accounts​. 

“One easy IRS trick.” Get an IP PIN, a unique code that prevents others from filing using your name and Social Security number. You can do this through your online IRS account in just a few minutes. 

How to Protect Yourself 

File early. The IRS started accepting returns in January; filing as soon as possible reduces the window in which a scammer could file a fake return in your name​. 

Get an IRS Identity Protection PIN. The IRS offers an Identity Protection PIN (IP PIN) to all taxpayers who verify their identity. This is a special 6-digit code, known only to you and the IRS, that must be included on your tax return to validate your identity​. If an identity thief files a return using your SSN without your IP PIN, the IRS will reject it. You can obtain an IP PIN via the IRS website after a thorough verification process. Once you have one, keep it secret (the IRS will never call or email to ask for it). 

Secure your online tax accounts. If you use commercial tax software or have an IRS online account, protect it with a strong password and multi-factor authentication. 

Expect phishing emails, texts, and calls. You’ll likely get at least one fake email/text/etc. from the “IRS.” But remember: the IRS will never initiate contact by email, text, or social media DM to ask for personal or financial information​. The real IRS will always send you written notices by mail first if there’s an issue and will allow you to appeal or question any amount due. When in doubt, hang up or ignore the message, then contact the IRS directly. 

Use trusted tax preparers and services. If you pay someone to do your taxes, vet them carefully. Verify that your tax preparer has a valid PTIN (Preparer Tax Identification Number) and professional credentials. Beware of “too-good-to-be-true” promises.

Protect your personal data and documents. Keep your Social Security card, past tax returns, and W-2/1099 forms in a secure place and shred old tax documents before discarding them​. Be mindful of what you share on social media (don’t post images of tax forms or reveal info like your birth date, mother’s maiden name, or financial details that scammers could use to impersonate you) and opt out of data brokers and people search sites that expose your personal data.

Watch out for red flags. These include rejected tax return filings (implying someone has beat you to it already), unexpected IRS notices (e.g., a letter about unreported income from an employer you never worked for), verification letters from the IRS asking you to verify your identity (can happen if their filters flag a suspicious return), and bills or refunds you’re not expecting. 

Monitor your credit report. Sometimes, tax identity theft is detected outside of IRS channels. If someone uses your SSN for fraud, it might show up as a sudden change on your credit report (e.g., new inquiries or accounts you don’t recognize around tax season). Monitor your credit reports during and after tax season for any signs of identity theft. Additionally, if you have an IRS online account, check periodically for any strange activity, like records of a return you didn’t file or a notice that an address or bank account was changed.

Report it. If your identity was stolen, report this through the FTC’s IdentityTheft.gov website. This online portal will guide you through creating an FTC Identity Theft Report and an IRS Identity Theft Affidavit (Form 14039) in one streamlined process​. The IRS Identity Theft Affidavit alerts the IRS that your SSN was misused and triggers their identity theft assistance for your account. You can also call the IRS Identity Protection Specialized Unit at 800-908-4490 for help. 

We’d Love to Hear Your Privacy Stories, Advice and Requests

Do you have any privacy stories you’d like to share or ideas on what you’d like to see in Incognito going forward? 

Don’t keep them private!

We’d really love to hear from you this year. Drop me a line at laura.martisiute@joindeleteme.com.  

I’m also keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

DOJ to Appeal Ruling That Bans Broad Cell Tower Searches

The Department of Justice is set to appeal a ruling deeming broad cell tower searches unconstitutional. U.S. Magistrate Judge Andrew Harris said “tower dumps” let law enforcement access all nearby device data without probable cause, akin to searching an entire haystack for a needle. Also: The EFF has released a new tool to detect cellular spying.

Fake LinkedIn Emails Deliver Malware, Warn Researchers

Cybercriminals are spoofing LinkedIn InMail notification emails to distribute malware. The phishing emails, which use an outdated LinkedIn template and fake sender details, include red flags like non-existent companies and mismatched profile images. Despite failing key email authentication checks, misconfigured security settings let these emails slip past filters. 

Major Background Check Firm Breached, Exposes Data of 3.3M People

DISA Global Solutions, a background check provider for over 55,000 companies (including many Fortune 500 firms), suffered a breach last spring that exposed sensitive records – including Social Security numbers and financial details – of over 3.3 million individuals. Experts say this incident shows background check firms are prime cyberattack targets.

California Targets Data Broker with $46K Fine Over Massive SSN Breach

California’s privacy regulator is seeking a $46,000 fine against Florida-based data broker National Public Data for failing to register as a database broker. The fine comes following a massive breach in April 2024. The breach compromised hundreds of millions of Social Security numbers and other personal data, affecting around 270 million individuals. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: Do automobiles have privacy policies?

A: Good question.

Cars and other personal automobiles don’t have privacy policies as individual products.

The companies that make them and provide software and services for them do have privacy policies that cover all of the products, including the vehicle you drive. 

However, if you know something about privacy policies (or are a long-time reader of Incognito), you probably know that most of them are not easy reads (plus, some car brands might have several policies). 

If you’re curious to see what kind of data your car or truck collects about you, the easiest thing to do is check out Mozilla’s *Privacy Not Included section on cars. They recently reviewed 25 car brands. 

Spoiler alert: Prepare to be disappointed. Automotive brands do not respect your privacy. 

The Electronic Frontier Foundation also has useful information on how to see what kind of information your vehicle has on you. For example, you can file a privacy request with your car maker (the EFF has links going to major car brands’ privacy request pages). 

Q: Why did my spouse and I get different prices when trying to buy the same app for our phones? Is it price discrimination? 

A: It could be some kind of innocent variable or a temporary pricing change from the app developer. Or it could be price discrimination or price personalization. 

Most people have heard of price discrimination – a pricing strategy where a seller charges different prices to different groups of consumers for the same product/service. For example, Capital One reportedly offered different loan terms depending on the web browser used by potential customers.

Price personalization is similar, except prices are tailored to individuals based on their unique data profiles, behaviors, preferences, and purchasing history. 

Research from a few years ago from the Mozilla Foundation and Consumers International revealed that price personalization is definitely happening. 

For example, the dating app Tinder charges different users different prices. 

Though user age was a significant factor (in most countries where the experiment took place, 30-49 year-olds were charged on average 65.3% more than 18-29 year-olds) in pricing, researchers said that “Tinder’s price-setting mechanism is complex, drawing on age and other unknown factor/s.”

But, as the research report on personalized pricing points out, there’s still limited research on the extent to which personalized pricing is used. Also, it’s not always bad. The report is definitely worth a read. 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.