As you open your email to look for holiday deals, don’t get scammed, says the Internal Revenue Service.

“Phishing with a ph, it’s the number one way that data thefts happen,” said IRS spokesman Michael Devine. “About 90% of all data thefts begin with a phishing email. They may pretend to be a company that you’ve dealt with or someone that you know.”

The scams tell an urgent story, but it isn’t true.

“Anytime you get an email from someone that you don’t expect to hear from or someone you don’t know, be very suspicious,” said Devine. “Please, don’t ever click on a link on any of these suspicious emails.”

The email link may send users to what looks like a familiar website to login, but the username and password goes to the thieves. Or, the scam suggests users open an attachment, which secretly downloads malicious software. Either method works for identity thieves. It’s also important to commit any passwords you need to memory, so the physical paper can’t be stolen.

“Use a phrase that you can remember, with a special character and a number,” said Devine. “Something like mycatbob@27. You’ll remember that, but you don’t have to write it down and if you
don’t write it down, you probably won’t lose it.”

Also don’t give out information that would give away those passwords on social media.