Written By
David H. Coull, Senior Systems Administrator
Tax season is one of the most active periods for cybercriminals. With the rise of artificial intelligence, fraudulent communications have become increasingly sophisticated and difficult to detect. While the tactics hackers use continue to evolve, the underlying strategies remain consistent. Understanding these methods is your first line of defense.
Common Tactics Used by Cybercriminals
- Urgency and Fear: Hackers create a sense of panic to pressure you into acting before you think. A typical example: “Click NOW to pay your taxes or the IRS will issue a warrant for your arrest on back taxes.” Legitimate government agencies and financial institutions will never demand immediate action through unsolicited emails or calls.
- Click Bait and Greed Lures: Fraudsters exploit the allure of financial gain to entice clicks. Messages such as “You have an unclaimed tax refund, retrieve your money now” are designed to bypass skepticism. If an offer sounds too good to be true, it almost certainly is.
- Fear of Missing Out (FOMO): Similar to click bait, these scams use artificial time pressure, countdown timers, limited availability warnings, or expiring offers, to rush you into a decision without proper verification. Example: “Only 1 spot remaining. This offer expires in 5 minutes.”
- Social Engineering: Cybercriminals mine publicly available information from social media profiles to craft highly personalized and convincing attacks. The more detail a message contains about you, the more legitimate it can appear, making it even more dangerous. Be mindful of what personal information you share publicly online.
How to Identify a Suspicious Email
- Spoofed Email Addresses: The sender’s display name may appear familiar, a friend, the IRS, or a financial institution, but the actual email address is fraudulent. Always hover over the sender’s name to reveal the true address. Look for subtle variations: a single character swap, an added word, or a lookalike domain (e.g., sendero-info.com and sender.com).
- Deceptive Content: Before AI, misspelled words and poor grammar were reliable red flags. Today, AI-generated phishing emails can be grammatically flawless and highly personalized. Instead, focus on the intent of the message: Is it creating urgency? Requesting sensitive information? Referencing personal details about you? These remain the defining characteristics of fraudulent communication.
Suspicious Links and Attachments
- Do not click links or open attachments you were not expecting. If you believe a message may be legitimate, verify by calling or texting the sender directly using contact information you have independently verified. Do not reply to the email, as the reply may not reach the intended recipient.
- Hover over any link to preview the destination URL before clicking. Be especially cautious of shortened URLs (e.g., bit.ly/xxxxx), which obscure the true destination.
- If you click a link and are prompted to enter credentials, close the page immediately. Unsolicited links should never require you to log in. Instead, navigate directly to the organization’s official website.
- For financial services in particular: never use a link from an email. It is a best practice to access your accounts by typing the institution’s address directly into your browser. If you remain uncertain, call the organization using the phone number listed on their official website, not any number provided in the email.
Essential Security Practices
- Enable Two-Factor Authentication (2FA): Activate 2FA on all accounts, with priority given to financial and email services. While text-based authentication is better than nothing, an authenticator app provides a higher level of security. Many services offer their own dedicated app or recommend a trusted third-party option.
- Important: Never share your 2FA code with anyone. No legitimate company — including tech support — should ever ask for it.
- Use a Password Manager: Never reuse passwords across different services. If a hacker obtains your credentials from one compromised site, they will attempt to use them through banking, email, and other accounts. A password manager generates and securely stores unique, complex passwords for use across all of your services.
- Enroll in Credit and Identity Theft Protection: Identity protection services continuously monitor your personal information across the web and alert you to any suspicious activity or unauthorized use of your data. These services can provide an important early-warning system against identity theft.
- Enable Financial Account Alerts: Most financial institutions offer transaction and account-change notifications. Enable these alerts and install your institution’s mobile app so you can quickly freeze or disable a card if it is lost or stolen.
Additional Security Tips
- Set up account notifications: Enable alerts on all financial accounts for withdrawals, transfers, and account changes to detect unauthorized activity as quickly as possible.
- Do not allow unsolicited remote access to your computer: If you receive an unexpected call claiming your device has sent alerts and requires repair, hang up. This is a common tactic scammers use to gain full control of your system and the data on it.
- If you suspect your system has been compromised, turn it off immediately: Do not attempt to use it further. Consult a reputable technology professional for inspection. A compromised device may contain keylogging software, screen recording tools, or spyware that continues transmitting your data to criminals as long as the system remains on.
- If your email account has been hacked:
- Change your password immediately and enable 2FA.
- Review your account settings for unauthorized changes, such as email forwarding rules or altered recovery information.
- Notify your financial institutions right away. Change all associated passwords and verify that 2FA is active on every account.
Staying informed is one of the most powerful tools you have against cybercrime. When in doubt, slow down, verify independently, and trust your instincts.
Disclaimer: The content in this article is provided for informational purposes only and should not be relied upon as cybersecurity safety advice and does not constitute legal, tax or financial advice. Sendero does not guarantee safety against cybersecurity threats. Please seek personalized advice from qualified professionals based on their specific circumstances.
