Welcome to the March 2026 issue of Incognito, your monthly dive into privacy and security with DeleteMe.
This month:
- Tax scams are surging. From fake IRS calls to phishing emails impersonating tax prep services, the schemes after your personal and financial data are sharper than ever. Plus: that scam you got hit with? The person who sent it probably didn’t choose to be there.
- We’re talking about scam compounds: That scam text or call? It may be from someone trapped in a guarded compound in Southeast Asia. “What the Hack?” went deep in a two-part series on the special economic zones where trafficked workers run the scams and billions disappear each year. Part 1 and Part 2.
- Essential reading: Google expanding tools to remove sensitive personal info from search results, 300+ Chrome extensions caught leaking data and spying on millions of users, data breaches hitting record numbers while notifications grow less transparent, and Colorado proposing to shift online age verification to operating systems.
- Q&A: Any “definitive” guide on obscuring your personal information and ways to do it?
Tax Season Is Prime Time for Scammers
Every year, tax season brings a flood of scams. 2026 is no exception.
Between January and April, tax-related fraud spikes dramatically. Scammers thrive on the urgency people feel around filing deadlines, refund expectations, and fear of IRS penalties.
The “IRS” Is Probably Not Emailing You
The IRS will never contact you by email, text, or social media to request personal or financial information. If you get a message claiming to be from the IRS demanding immediate payment or threatening arrest, it’s a scam. The IRS reaches out through the mail.
Other players in your tax return are widely impersonated too. Fraudulent emails mimicking TurboTax, H&R Block, or your accountant are circulating right now. They typically include links to spoofed login pages built to steal your credentials.
What’s the scammer’s goal? Tax identity theft.
This happens when someone files a fraudulent return using your Social Security number, claiming your refund before you do. If the IRS says a return has already been submitted under your name, that’s a red flag. Protect yourself by filing early and requesting an IRS Identity Protection PIN.
Businesses are targets too. Scammers pose as company executives and email HR or payroll departments requesting employee W-2 and 1099 forms. That gives them everything they need to file fraudulent returns at scale.
And watch out for “surprise refund” messages. These are among the most popular phishing emails. They ask you to “verify your identity” by clicking a link designed to harvest your personal data.
What You Should Do
File early. The sooner you file, the smaller the window for someone to file a fraudulent return in your name.
Use multi-factor authentication. Enable MFA on all tax-related accounts, including your IRS Online Account, tax preparation software, and email.
Get an IRS Identity Protection PIN. This six-digit number, known only to you and the IRS, prevents someone else from filing a return with your Social Security number. You can sign up at irs.gov/ippin.
Go directly to websites. Never click links in emails or texts claiming to be from the IRS or a tax service. Type the URL directly into your browser.
Monitor your credit. If your Social Security number has been exposed in any breach (and statistically, it likely has), keep an eye on your credit reports for unfamiliar activity during tax season.
Report tax scams. Forward suspicious IRS-themed emails to phishing@irs.gov. Report phone scams to the Treasury Inspector General for Tax Administration at tigta.gov. And as always, report scam attempts to the FBI’s Internet Crime Complaint Center at ic3.gov.
We’d Love to Hear from You!
Have a story for our podcast? Any privacy stories you’d like to share, or topics you’d like to see in Incognito? We’d love to hear from you!
Drop a line to Laura Martisiute at laura.martisiute@joindeleteme.com. She’s keen to hear any feedback you have about this newsletter.
Recommended Reads
Our recent favorites to keep you up to date in today’s digital privacy landscape.
Google Expands Tools to Help Users Remove Sensitive Personal Information
Google expanded its “Results about you” tool, so you can now ask it to remove search results containing your sensitive personal data (e.g., government IDs) with automated monitoring that alerts you when such information appears. The company also introduced a process for reporting and removing non-consensual explicit images from Search.
300+ Chrome Extensions Leaking Data and Spying on Millions of Users
Researchers found over 300 Chrome extensions with 37+ million users that leak browsing history, steal data, or spy on users, with some linked to known spyware distributors. A separate investigation uncovered 30 extensions posing as AI tools that are part of a coordinated operation to manipulate browser content and steal Gmail data.
Record Data Breaches In 2025, But Less Transparency in Notifications
Data breaches reached a record 3,322 last year, yet 70% of breach notifications failed to disclose how the compromise happened, says the Identity Theft Resource Center. Inconsistent state laws allow for minimal detail disclosure, even though 75% of victims say they want plain-language explanations of what was exposed and how breaches happened.
Colorado Proposes Moving Age Checks to Operating Systems
Colorado’s proposed Senate Bill 26-051 would shift online age verification away from individual websites to operating system providers, which would collect users’ age information at account setup, then make that data available to app developers through an API. Critics say the approach only covers mobile app ecosystems and leaves the open web unregulated.
You Asked, We Answered
Here are some of the questions our readers asked us last month.
Q: How can I report a non-compliant data broker?
A: Great question!
If you live in a state with data broker registration laws (e.g., California, Texas, Vermont), you can report the data broker to your state’s attorney general or the relevant agency.
In California specifically, you can fill out an online complaint form with the California Privacy Protection Agency (CPPA).
Even if you live in a state without a comprehensive consumer data privacy law or any data broker registration requirement, you can still file a consumer complaint with your attorney general.
It’s also worth checking whether the broker is registered in California through the CPPA’s data broker registry. If it is, you can file a complaint with CalPrivacy regardless of where you live. If the broker is violating its obligations under the Delete Act (like failing to process opt-out requests), California’s enforcement arm may still be interested.
At the federal level, you can report a data broker to the Federal Trade Commission.
Plus, you can submit a data broker to DataBrokersWatch.org, tell Privacy Rights Clearinghouse about your experience, and report your interaction with the broker to StopDataBrokers.org.
Q: Any “definitive” guide on obscuring your personal information and ways to do it?
A: If you mean obfuscation of personal data, then Obfuscation: A User’s Guide for Privacy and Protest (MIT Press, 2015) by Finn Brunton and Helen Nissenbaum comes to mind.
The guide defines obfuscation as deliberately adding ambiguous, confusing, or misleading information to interfere with surveillance and data collection. The goal is to make real information get lost in a sea of noise.
It’s a way to fight back against information asymmetry, where data is collected about us in ways we might not understand, for reasons we don’t know, and used in ways we can’t predict.
The guide is worth reading in full and gives techniques and tools to perform obfuscation.
Some of these techniques and tools will already be familiar to longtime Incognito readers (like swapping loyalty cards with others to muddy your purchase history, or using the AdNauseam extension, which blocks every ad you’d see — and clicks on each one too).
And many others will be new (like creating dozens of fake people who share your name and basic details, giving them websites and social media accounts, and keeping them active over time).
Back to You
We’d love to hear your thoughts about all things data privacy.
Get in touch with us. We love getting emails from our readers. You can also find us on X @DeleteMe or Bluesky @joindeleteme.
Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.
That’s it for this issue of Incognito. Stay safe, and we’ll see you next month.
Don’t have the time?
DeleteMe is our premium privacy service that removes you from more than 750 data brokers like Whitepages, Spokeo, BeenVerified, plus many more.
Save 10% on DeleteMe when you use the code BLOG10.
