It’s tax season, and you know what that means: Tax scams. The IRS warned last year that it was the worst year they’d seen for tax scams, with 900 reports filed. That’s about nine times the number of reports filed in 2016 and it looks like 2018 is shaping up to be even worse.

Ars Technica reports that the most common type of scam this year isn’t one targeting individuals but instead ones that go after mass amounts of data. They quote an FBI document from January that described “business email compromise (BEC) or business email spoofing (BES)” — or, in more common terminology, phishing campaigns.

In this type of phishing campaign, attackers pose as someone high up in a company or organization, like the CEO, executive, or school principal. They then send emails to employees asking for copies of W-2 forms, which include all the personal information you need to file a tax return. According the FBI, many of these phishing emails start with a friendly greeting before getting to the request, putting employees at ease before asking for the forms.

Another risk factor this year is the Equifax hack, in which more than 143 million Americans’ personal information was stolen. With the theft of that data, the FBI fears that this year will be much worse than last year when it comes to tax return fraud.

But just because attackers are primarily going after the big hauls right now doesn’t mean individuals are safe from phishing attacks. In a mirroring of what we’ve seen in the past, thieves are using phone calls, emails, and text messages to get people to give up personal information that can help them steal their tax return. According to Kapersky labs, some of the “bait” used include messages from fake IRS sites asking people to confirm their personal information in order to complete their refund; posing as executives from INUIT, the creators of TurboTax; or even requests that look like they’re coming from the boss, asking for updated information.

So what can individuals do to protect yourself?

If you work for a company, never send W-2 or other tax information electronically without first verifying with your boss in person or on the phone that they actually sent the request in the first place. While it might seem like more of a hassle, it’s worth taking the extra precaution as the likelihood of this type of attack increases.

When it comes to individual attacks — which usually come from sources that can’t be independently verified in a timely manner — as a rule of thumb, don’t click on links in emails from the IRS. That’s because the real IRS doesn’t initiate contact with Americans via email, text, or social media.

And if you get a notification from TurboTax or INUIT or another tax filing company, rather than clicking on the link provided, type the URL of the site into your browser. If it’s a legitimate communication, there should be some type of notification in your account. And if you’re still not sure, give their customer service a call. Again, it’s a bit of a hassle, but it’s worth it to deal with that hassle up front rather than the ultimately have to deal with the hassle of your tax refund being stolen.