New IRS requirements will soon be used as phishbait, according to Gene Marks, owner of Marks Group PC and a columnist for the Guardian.

“Beginning for the 2022 tax year, if you receive more than $600 in total payments during the course of the year from a payment service like PayPal, Venmo (which is owned by PayPal), Square, Stripe or online sales of your products made through Amazon, Etsy and other marketplaces – regardless of how many customers are paying – that payment service is required to report that amount to the IRS and to you by sending a Form 1099-K – used for reporting payments via these third parties – in early 2023,” Marks explains.

Scammers frequently pose as the IRS, and the new rules give them new material to use in phishing attacks.

“Starting mid-year, I predict, millions of individuals and small businesses will be receiving requests from payment services they used asking to provide or update their personal information – including their social security and tax identification numbers – so that those services can comply with the new 1099 rules,” Marks says. “They’ll come by email mostly, although some will be by text. Unfortunately, a scammer can also send a fake text or email – or millions of fake texts and emails – to small businesses that look genuine but surreptitiously divert you to a fake website that not only collects your most personal data but also can download malware into your network to be used for future attacks and mischief.”

Marks says that people should be on the lookout for phishing attacks that pose as payment providers asking for financial information.

“Take a few minutes to visit every one of your payment service providers’ websites and update your 1099 information,” Marks says. “Train your financial employees that may be receiving email requests to know what to look for. If you’re not sure of a sender, then ignore the email. Report any suspicious requests directly to the payment service provider. If you are submitting information, make sure you’re doing it directly on the payment provider’s website and avoid clicking on any links in an email. Otherwise you’ll be opening yourself up to serious problems. By mid-year I predict you’ll be hearing a lot more about this scam. Start paying attention now.”

As laws and regulations change, their very unfamiliarity can open up new, initially plausible lines of social engineering. New-school security awareness training can prepare your employees for new trends in phishing attacks.