Skip to main content

Beware: new IRS rules will lead a wave of phishing frauds

By February 27, 2022No Comments

(This article originally appeared in The Guardian)

Thanks to new legislation that went into place at the beginning of this year, I predict that a lot of unsuspecting small business owners are about to fall victim to a fresh scam.

The scam will relate to legislation around new tax reporting rules that will affect millions of freelancers and small businesses. As I explained in an earlier column, beginning for the 2022 tax year, if you receive more than $600 in total payments during the course of the year from a payment service like PayPal, Venmo (which is owned by PayPal), Square, Stripe or online sales of your products made through Amazon, Etsy and other marketplaces — regardless of how many customers are paying — that payment service is required to report that amount to the IRS and to you by sending a Form 1099-K — used for reporting payments via these third parties — in early 2023.

You may think this is a headache, but it’s nothing compared with the headache now faced by these payment providers. They now have an enormous new tax reporting requirement. Unfortunately, these providers probably don’t have all the information they need about all the businesses they serve in order to properly file these forms, and if they don’t get that information, the rules say that they’re required to withhold 24% of the payment and remit to the IRS. They don’t want to do that and small businesses don’t want this to happen either. So they will soon be reaching out to their customers for more information. Already, they’re laying the tracks.

“You may notice that in the coming months we will ask you for your tax information, like a Social Security Number or Tax ID, if you haven’t provided it to us already, in order to continue using your account to accept payments for the sale of goods and services transactions and to ensure there aren’t any issues when these changes take effect in 2022,” PayPal said in a statement. “This helps us meet our obligations to the IRS and ensures that you will be able to continue using your account and access PayPal and Venmo features and services.”

Enter the scammers.

Starting mid-year, I predict, millions of individuals and small businesses will be receiving requests from payment services they used asking to provide or update their personal information — including their social security and tax identification numbers — so that those services can comply with the new 1099 rules. They’ll come by email mostly, although some will be by text.

Unfortunately, a scammer can also send a fake text or email — or millions of fake texts and emails — to small businesses that look genuine but surreptitiously divert you to a fake website that not only collects your most personal data but also can download malware into your network to be used for future attacks and mischief. These are called “phishing” scams. You’ve heard of this.

Hopefully, your payment vendor has received this information from your business already. And if your business is set up to receive remittances from a payment service provider then it’s likely that the payment service provider has a direct portal on its website for you to update your company’s 1099 information. Stripe, for example, offers detailed guidance for doing this. So do PayPal, Apple, Square and Cash App.

But some people aren’t going to do this. And although the IRS provides guidance for avoiding scams during tax season and throughout the year, the agency isn’t able to help a small business owner if they fall victim to someone who is pretending to be a payment service like PayPal, Venmo, Stripe, Square, and all the other companies that — at least as far as I can tell — aren’t doing a whole lot right now to warn their customers of these potential scams.

So please — be careful. Take a few minutes to visit every one of your payment service providers’ websites and update your 1099 information. Train your financial employees that may be receiving email requests to know what to look for. If you’re not sure of a sender, then ignore the email. Report any suspicious requests directly to the payment service provider. If you are submitting information, make sure you’re doing it directly on the payment provider’s website and avoid clicking on any links in an email. Otherwise you’ll be opening yourself up to serious problems.

By mid-year I predict you’ll be hearing a lot more about this scam. Start paying attention now.

Skip to content