Skip to content

Digital security tip

You can’t avoid tax scams, but you can defend against them

Chris Stucker, associate director, Identity & Access Management

Chris Stucker, associate director, Identity & Access Management

If Benjamin Franklin could give us advice today, he might tell us that nothing is certain except death, taxes, and phishing. At this time of the year, the latter two are not only unavoidable, they also often converge.

That’s right, tax season is here again and so are tax scams. Criminals use tax season as an opportunity to phish us in emails, to socially engineer us in other mediums, and to steal our identities in a variety of ways. These scams typically create a sense of urgency and an impulse to act, such as opening a link or installing software.

Remember, the IRS publishes clear guidelines about how it will and will not contact you. Familiarize yourself with how the IRS notifies taxpayers so that when a scammer contacts you through a different method, you can confidently ignore the scare tactics and keep yourself safe. Criminals steal millions of identities every year in tax-season scams — don’t become a part of that statistic.

Tax scams aren’t the only scams around. Criminals will use any piece of news, any current event, or anything that generates conversation to scam people. For example, soliciting support for Ukraine is a popular ploy right now. If you choose to donate, do it through verified organizations, and visit their websites manually in your browser. Don’t open invitations that show up in email, texts, or social media.

Pretend you’re a scammer for a moment. Think of what’s going on today. How would you take advantage of current events and topics to get someone to open a link or provide personal information? What would make you download a file? This exercise will help you to anticipate the ways that criminals might attack you and to stay safe from cyberthreats.

While Franklin might be accurate that phishing is unavoidable, it is possible to avoid being hooked by scammers by maintaining awareness, being skeptical and cautious, and using tools provided by the U’s Information Security Office, such as the Phish Alert Button and Canvas cybersecurity training.

Let’s work together to stay safe online!

Report a phishing attack

If you receive a phishing attempt through a university email account, the Information Security Office (ISO) asks that you immediately report it using the Phish Alert Button. The Phish Alert Button is the simplest and fastest way to report suspicious emails.

  • Open or select the suspicious message, then select the Phish Alert Button to send it to the ISO for review.
  • If your email client does not have the Phish Alert Button, forward the email as an attachment to
  • For more information on how to report suspicious emails, please visit this IT Knowledge Base article.

After reviewing the suspicious email, the ISO will notify you whether it is a phishing attack. If the message is malicious, the ISO will remove it from your inbox and other UMail inboxes that received the attack.

If, by accident, you click on a questionable link and enter login credentials, immediately go to the CIS website — — and change your password. In addition, contact the ISO's Security Operations Center at to notify information security staff.

If you need further assistance, please contact your respective IT help desk:

  • UIT Campus Help Desk: 801-581-4000, option 1
  • University of Utah Health ITS Service Desk: 801-587-6000
Share this article:


Last Updated: 4/8/24