In spring, a phisher's fancy turns to taxes
If tax season is here, can IRS e-mail scams be far behind? Here's a tempting one making the rounds: An e-mail that looks like it's from the IRS tells you the agency has "determined that you are eligible to receive a tax refund of $746.35." All it takes to get that cash is a simple click on a link to "access the form for your tax refund."
If you get one of these, don't start planning that vacation yet, and definitely do not click on the link or fill out the form. The IRS doesn't send unsolicited e-mails about tax refunds or any other matter. What you've actually received is not an opportunity to claim hundreds of unexpected dollars. It's a phishing scam designed to load malicious software onto your system and collect personal information for use in identity theft schemes.
This and other scams that use refunds from the IRS as bait are more prevalent than ever. Meanwhile, even newer scams are showing up surrounding the recent Federal tax rebate, according to Paula Greve, director of Web security research for Secure Computing.
In fact, Greve notes, there has been a 3,000 percent year-over-year increase in phishing attacks and malicious Web sites targeting the IRS, with more such attacks in January 2008 alone than in the first six months of 2007 combined. Close to 600 IP addresses sending e-mail purporting to be from the IRS have already been tracked, and Greve expects that number to increase.
The IRS has itself issued warnings of several scams, including one intended to frighten you into opening it because it says you're about to be audited. This one, the IRS says, may even be personalized with your name in it, unusual for many scam e-mails. The Federal Trade Commission has also issued a warning about IRS and Social Security Administration e-mail scams.
Even if you're visiting what you think are legitimate Web sites that provide tax-related services, you need to use extra caution. For example, if you typed in the name of a popular tax service but missed typing in the period between the "www" and the company's name, you were taken to a site that loads malicious software onto your computer. The lesson: Type slowly, check your spelling, and keep your security software updated and active.
Other precautions to take:
- Never click on URL links in an e-mail from a financial institution or government agency. Instead, type the address into your browser manually.
- Don't open e-mail attachments unless you are certain what they are.
- Don't open, preview, or read e-mails that say they come from the IRS; they don't.
- Report e-mails that impersonate the IRS to phishing@irs.gov or spamreport@securecomputing.com.
- Report general phishing e-mails to reportphishing@antiphishing.org.
Check our blog for more security news and our cyber-security information center on ConsumerReports.org has more tips on how to protect your computer and personal data.
—Donna Tapellini
Comments