Tax Time: Phishing Scams and Schemes
by Phillip Brett
The Internal Revenue Service reports that 30,445,000 tax returns were filed electronically in 2007, with online filings outnumbering paper returns by more than 5 to 1. And as the buzz surrounding online filing increases, so do the odds of getting scammed. As taxpayers wait for their refund checks, they need to be extra vigilant that any notices they receive about their tax returns actually come from the IRS. Phishing scams abound that mimic IRS notices to try to get bank account and other personal information from taxpayers who can easily become victims.
Researchers from Secure Computing, a company that provides solutions to help corporate customers secure their web, email, and networks, report that they have seen a 3,000% increase in IRS and tax-related phishing websites. In January, Secure Computing officials saw more phishing schemes purporting to be from government agencies than in the first half of last year, according to Paula Greve, the company’s director of web security research.
“According to our research, as of Feb. 7, there were 583 different sites sending emails [purporting to be] from the IRS,” Greve says. “People want access to their money, so the phisher provides a dollar amount with instructions to click on a link.”
That’s enticing enough for those who expect a refund. Although there are no known figures for those who have fallen victim to these scams, there are now more of them out there.
Respecting a Brand
“Government brands are among the most targeted by phishers,” says David Atlas, senior vice president of worldwide sales and marketing for Goodmail Systems, a provider of certified email. “People tend to trust a government identification, so if they see it, they figure it’s something that they had better attend to.”
Many of these scams and phishing attacks instruct victims to click on a link, but doing so opens the victim up to viruses, malware, and identity theft.
“People who are hypervigilant will know it’s a fake, but there are enough gullible people out there,” Atlas says. He also says that the phishers like to use government or other large entities (e.g., Bank of America or eBay) as the identities for such schemes because the actual customer base is large and the likelihood is good for finding someone to scam. Though phishers use falsified representations for smaller government organizations and businesses, one thing still rings true: the larger the organization, the larger the potential victim base.
Atlas and Scott Burns, co-founder and CEO of GovDelivery.com, a government email delivery service and Goodmail Systems customer, inspect certified email. Although this process is in its embryonic stages now, it’s designed to let a user know that an email is from a trusted source. These emails have identifiers that make them stand out from other emails.
Rating Email Sources
Greve adds that Secure Computing has a free, downloadable toolbar that rates email sources (trusted, unverified, suspicious, malicious, or undetermined) to help users determine their risks in opening emails. The malicious are those from IP addresses known to have been sources of previous phishing attacks or other scams.
The IRS has seen several variations of a refund-related bogus email: They falsely claim to come from the IRS, tell the recipient that he or she is eligible for a tax refund for a specific amount, and then instruct the recipient to click on a link in the email to access a refund claim form. The form instructs the recipient to enter personal information that the scam artists can then use to access the email recipient’s bank or credit card account.
In a new wrinkle, the current version of the refund scam includes two paragraphs that appear to be directed toward tax-exempt organizations that distribute funds to other organizations or individuals. The email contains the name and supposed signature of the director of the IRS’s Exempt Organizations business division, according to the IRS. This email is a phony. The IRS does not send unsolicited email about tax account matters to individual, business, tax-exempt, or other taxpayers.
In a related scam, an email notifies the recipient that his or her tax return will be audited. This email instructs the recipient to click on links in order to complete forms with personal and account information, which the scammers will use to commit identity theft.
The scams are expected to stay prevalent even after the immediate end of tax filing on April 15 due to the government’s recently announced economic stimulus plan that will provide rebates of up to $600 for individuals or $1,200 for married couples filing jointly, says Angelo Comazzetto, product evangelist for Astaro Corp. “It’s not a vendetta against the IRS. It’s tax time, so a lot of people are looking for notices from the IRS.”
But the IRS does not initiate communications with taxpayers via email, though it asks for an email address on the current version of Form 1040. The IRS still relies on snail mail, according to security experts. The IRS also has a warning, with a link to more information, about the various scams at the center of its homepage, www.irs.gov.
There are a couple of basic ways to protect online taxpayers from phishing whether the faux email purports to be from the IRS, a financial institution, or another source, says Matt Sergeant, senior anti-spam technologist for MessageLabs, a company that provides managed services to protect, control, encrypt, and archive electronic communications.
Sergeant advises to follow the standard user protocol with email links: He says it’s much safer to retype the questionable URL in the web browser than clicking on a link in an email. While the link will take the user to the underlying IP address (even if the link is falsified), typing the URL in the web browser will take a person to the true IP source for the web address. Sergeant also recommends that people use popular email sources programs, such as Yahoo! or AOL, that have sophisticated anti-spam filters rather than email services from internet service providers such as Comcast.