​Beware These Common Tax-Season Scams (and How to Shut Them Down Fast)

As a spa owner or service-based business, your inbox is constantly filled with payment-processing requests: invoices, vendor emails, payroll notices, software alerts, “urgent” account updates… all day.

Scammers know that. And they’ve gotten very good at making fake messages look like they came from a legit source like your bank, the IRS, a vendor, or even your payroll/accounting software. The goal is always the same: to get you to click, hand over login info, and pay for something you shouldn't.

Below are the most common scams we see during tax season—plus simple safeguards you can actually use when you’re busy.

1) Fake IRS “You Owe Now” Notices
An email/text/DM claiming you owe back taxes or penalties and must pay immediately via a link, QR code, wire, crypto, or some “instant” method.

What you need to remember is the IRS does not initiate contact with taxpayers via email, text message, or social media about bills, refunds, or “tax credits.” The IRS states that most initial contacts begin with a letter delivered by U.S. mail (with limited exceptions).

So your best bet is: Don’t click!

Go to the IRS site directly and look up how to verify notices, or use your IRS online account if you have one.

2) “Invoice” Scams (Small Amounts, Big Damage)
An invoice for something you never ordered—often a “reasonable” amount that a busy owner might approve without thinking.  This scam works because it’s designed to slip through during high-volume weeks when you’re approving everything quickly.

How to stop it: Require a matching purchase order / written approval for any new vendor charge.

Pay vendors only from a saved vendor list (and not from new banking details inside an email).

3) Bank / Payment Processor “Security Alerts”
This may come in the form of a message saying there’s suspicious activity and you must “verify” your login or payment details.

Just remember that "Pressure + link = danger" and you'll probably make the correct decision.

Also, if you see the language “Verify now” + login page  this is classic credential theft (also known as phishing).

Your best bet is to open a new browser tab and type your bank/payment processor URL yourself (or use a trusted bookmark). The IRS explicitly warns that scammers use links to fake IRS pages and tools—banks are targeted the same way.

4) Payroll / Vendor “Change My Bank Details” Requests (BEC)

This one is especially brutal because it can look like it came from a real person you know.

What typically happens is that you might receive this message: “Hey—my banking changed. Please update my ACH info.” Or  “We switched banks—use this account starting today.” , or “I’m in a meeting—can you send the payment now?”

This is a common form of Business Email Compromise (BEC)—a major fraud category the FBI tracks and warns businesses about.  A great way to avoid the problems that can stem from this scam is to never change payment instructions based on email alone.

A simple strategy is to verify by calling the person from a known phone number (from your records, not the email).  You could also require a second approver for any banking-change request.

If money already moved, contact your bank immediately

The “3 Red Flags” Test (Use This on Every Weird Message)

• Urgency: “Act now,” “final notice,” “today only,” “or penalties.”
• Links/attachments: especially unexpected PDFs, ZIPs, or “secure messages.”
• Sender weirdness: tiny misspellings, extra characters, or a “reply-to” that doesn’t match.

If you see even one of these, pause and verify independently.

Quick Protection Checklist for Busy Owners

1. Use multi-factor authentication (MFA) on email, banking, payroll, and accounting tools.
2. Limit who can change bank details or send payments (least access needed).
3. Set a rule: bank detail changes require phone verification + second approval.

Train your team to forward suspicious messages to one internal point person (so nobody “handles it quickly” alone).

If you suspect a breach or exposed info, follow a documented response plan (the FTC provides a practical breach-response guide for businesses).

If You Already Clicked (Do This Immediately)
Do not enter any passwords (if you haven’t already). If you entered credentials, change passwords right away and enable MFA.  Contact your bank/payment platform if any payment info may have been exposed.

If it involved an IRS impersonation attempt, the IRS provides steps for reporting phishing and suspicious messages.

For vendor/payment redirection scams, contact your financial institution immediately.

Bottom line
Spam isn’t just annoying anymore—it’s a direct threat to your cash flow, your client data, and your peace of mind. Cautious doesn’t mean fearful. It means you’re protecting what you’ve worked way too hard to build.