Fake tax preparer or refund advance SSN harvest scam — fraudulent email impersonating TurboTax, H&R Block, Jackson Hewitt, or a tax preparation service claiming the recipient can file their taxes and receive a maximum refund advance deposited in 24 hours — directing them to provide their Social Security number, W-2, 1099, and bank routing details to claim the advance — a personal information and identity theft fraud targeting taxpayers during filing season
fake-tax-preparer-refund-advance-ssn-harvest-scam
What this tier means
High-confidence threat indicator — phishing, impersonation, BEC, or scam pattern. Strong contributor to the trash decision.
How Gorganizer detects this
Phishing emails impersonating TurboTax, H&R Block, Jackson Hewitt, Liberty Tax, or generic tax preparation services — claiming the recipient can file their taxes and receive a maximum refund advance deposited within 24 hours — then directing them to provide their Social Security number, W-2, 1099, and bank routing number to "apply" for the advance. These attacks concentrate in January–April during US tax filing season. Key facts: (1) Tax-related phishing is the single highest-volume financial phishing category by email volume during Q1 annually — IRS Criminal Investigation Division (CI) and the FTC jointly issued consumer warnings annually from 2017–2024; tax identity fraud losses exceeded $6.3B in 2023 according to IRS estimates; (2) The tax advance scam is particularly dangerous because it harvests a complete identity profile in one interaction: SSN (for identity theft), W-2/1099 (for income data and employer information), and bank routing number (for account takeover); with these three elements, fraudsters can file a fraudulent tax return, claim the refund, and divert it before the victim files; (3) Legitimate tax refund advances (TurboTax Refund Advance, H&R Block Emerald Advance) are offered only through the official app or in-store filing experience — never via cold outreach emails — and never collect SSN independently outside of a secure filing session; (4) Tax preparation credential phishing is the gateway to the largest fraud category: fraudulent tax return filing with stolen identity. The IRS estimates 1–2 million fraudulent returns are attempted each year, primarily using SSN harvested through email phishing. Warning signs: unsolicited refund advance offer via email, SSN + W-2 + bank routing all requested together, non-turbotax.com/hrblock.com domain, 24-hour refund promise.
False-positive guard
Every signal in Gorganizer feeds a multi-module score — never a sole verdict. This is a threat-tier signal — it adds a strong contribution to the trash score. The full pipeline still requires convergence across multiple modules + a margin over the safety floor before deletion happens, and Gmail's trash (30-day recovery) is always used — never permanent delete.
About the scoring engine
Gorganizer's scoring engine emits over 1,800 signals across six modules — headers, sender, subject, body, attachments, and structural metadata. Every email is scored by every module independently; the final verdict requires multiple modules to agree and the trash score to beat the safety floor by a margin.
Sacred safety guards — never delete starred emails, replies, calendar invites, receipts/invoices, or attachments — apply unconditionally regardless of any signal.
Ready to clean your inbox?
Gorganizer scans your Gmail with this signal and 1,800+ others, then cleans everything in one click. $4.99 one-time, no subscription.
Get started