My husband works in the finance industry. One of his clients, a small business owner, asked for their assistance in getting some records for the IRS. He said that he was being targeted for an audit by the IRS and that they needed a 2016 report for all his employees, so that they could cross reference it against their individual tax returns.
Luckily my husband’s assistant is a skeptical person and asked a lot of questions. Turns out that the business owner had gotten the initial demand via email, and that the “letter” was a .pdf attachment. Hmmm. But the document looked completely legit and in fact used the name of a real IRS auditor (which he verified somehow). What was off is that the address to send it was in a different font that the rest of the letter, and it appeared that white out had been used where the business owner’s name was listed. After some more digging, he was able to confirm that it was a phishing attempt.
How scary is that? A small business owner was this close to mailing off all of his employee’s data to a scammer, including names, addresses, SSN, income and taxes paid. And it also shows that no matter how vigilant we are about protecting our information, it’s most often a third party that ruins it.
Sadly, after the Anthem attack, my identity was stolen, and now I pay for Identity Theft protection. But with all the hacks out there, I fear that it’s just a matter of time before it happens again.
ETA: It’s probably not a NEW scam, but it’s the first time I’ve heard of it.