Tax season is the most predictable window of financial vulnerability in the year. Scammers know it, plan for it, and are ready. Here's what's actually happening right now and what to do about it.
Every year between January and April 15, something predictable happens. Millions of Americans open their laptops, pull up TurboTax or H&R Block, and spend hours entering the most sensitive information they have — Social Security numbers, bank account details, employer information, income history, dependent data. All of it, concentrated in one place, in one sitting, in a browser window.
Scammers know this. They plan their most sophisticated campaigns around it. And this year, the attacks are sharper than they've ever been.
The stakes are higher than most people realize
When you file your taxes online, the information you're entering isn't just sensitive — it's the complete package of everything someone needs to steal your identity. Your SSN alone is valuable. Combined with your income, your employer, your bank account number for your refund, and your address, it's everything an attacker needs to file a fraudulent return in your name, claim your refund before you do, open credit lines, or sell your data on dark web marketplaces.
The IRS flagged over a million tax returns for identity theft in 2023 alone. Each one represents a real person who went to file their taxes and discovered someone had already filed in their name. By the time they realized it, the fraudulent refund was gone.
What the scams actually look like right now
Tax season phishing scams take a few distinct forms, and knowing which ones are circulating matters more than generic advice to "be careful."
The most common right now is fake emails impersonating TurboTax, H&R Block, or your accountant. One in three Americans says they or someone they know has already received one of these — a message that looks exactly like a legitimate notification from a tax service, urging them to click a link and sign in. The link goes to a spoofed login page that harvests your credentials. From there, attackers can access your actual tax account, pull your filing history, and use your information however they choose.
If you're unsure whether a tax site is real, here's how to tell if a website is legit.
The IRS impersonation scam is the other major vector. An email, text, or phone call tells you that you owe back taxes, that your refund is ready to claim, or that there's a problem with your return that requires immediate action. The message is designed to create fear and urgency simultaneously — two emotions that reliably override careful thinking. Here's the one thing worth knowing about IRS impersonation: the IRS will never initiate contact with you by email, text, or social media. Ever. If you receive an unsolicited digital message claiming to be from the IRS, it is a scam, full stop. The real IRS sends written notices by mail.
There's a third variant that specifically targets small businesses: scammers pose as company executives and email HR or payroll departments requesting employee W-2 and 1099 forms. That gives them everything they need to file fraudulent returns at scale, for every employee whose information they've collected.
Why your browser is the most vulnerable point
Most people think about tax scams as an email problem — spot the fake email, don't click the link, stay safe. That's part of it. But the more dangerous moment happens inside your browser, after the click.
Platforms like TurboTax and H&R Block are browser-based. You're entering your most sensitive information into a web interface. If you've been directed to a spoofed version of that interface — one that looks identical to the real thing — you won't know until it's too late. The page will have the right logo, the right colors, the right layout. It will feel exactly like the real thing because it was built to.
This is the same structural problem we've written about in other contexts.
Google's filters catch a lot but miss newly created spoofed sites
We showed exactly how this works with a real DocuSign phishing attack
A spoofed TurboTax login page that launched this morning has no threat history. It passes every filter. The only reliable protection is a tool that confirms you're on the real site before you type anything — not one that checks whether the site has been flagged before.
The practical steps that actually matter
File early. The single most effective thing you can do to protect yourself from tax identity theft is file before a scammer can file in your name. There's no sophisticated security tool involved — just timing. If your return is already filed, a fraudulent one can't be submitted using your SSN.
Go direct. When you're ready to file, don't click a link from an email to get there. Type turbotax.com or hrblock.com directly into your browser, or use a bookmark you've already saved. This eliminates the spoofed login page risk entirely. If you're ever unsure about a link, paste it into Haven's free link checker before clicking.
Know what the IRS will and won't do. The IRS will never email, text, or DM you. Any digital message claiming to be from the IRS asking for information or payment is a scam. When in doubt, go to irs.gov directly or call the number listed there.
Pause on anything urgent. "Your refund is ready — click here to claim it." "You owe back taxes — respond immediately." "Your account has been flagged." These messages are engineered to make you act before you think. The urgency is the attack. Any legitimate tax matter can wait five minutes while you verify independently.
Add browser-level protection during the filing window. Given the volume and sophistication of tax season phishing right now, this is a particularly high-risk period to be filing without it.
We built Haven specifically for moments like this — browser-level protection that confirms you're on the real site before you enter anything, catching what email filters and antivirus tools structurally can't.
Through April 15, Haven's protection covers all major tax filing platforms — TurboTax, H&R Block, the IRS website, and more — completely free. No premium plan, no credit card, no catch. Just the extra layer of protection that makes sense to have when you're about to enter your Social Security number into a browser window.
Download Haven free from the Chrome Web Store. Takes about 90 seconds to install. Your tax return is worth protecting.