For anglers, spring is a time for removing the rod and reel from storage and heading to a lake or stream. For phishers of another kind, however, spring is the season for tax scams.
Phishing — the use of phony e-mails and Web sites to obtain personal information about people — has become such a problem for the U.S. Internal Revenue Service (IRS) that it recently set up an e-mail address, firstname.lastname@example.org, where taxpayers could send suspicious messages for review by G-men.
Pretty much any e-mail claiming to come from the tax agency should be regarded with suspicion by its recipients, according to IRS spokesperson Eric Smith.
“The IRS doesn’t do business that way,” he told the E-Commerce Times. “We don’t do unsolicited e-mail.”
Offshore Scam Artists
The IRS reported a recent increase in phishing attacks, many of which originated outside the United States.
“To date,” the IRS stated, “investigations by the treasury Inspector General for Tax Administration have identified sites hosting more than two dozen IRS-related phishing scams.
“These scam Web sites have been located in at least 20 different countries,” it continued, “including Argentina, Aruba, Austria, Canada, Chile, England, Germany, Indonesia, Italy, Japan, Korea, Malaysia, Mexico, Poland, Singapore and Slovakia.”
To some extent, the IRS has contributed to its phishing woes, according to Ron O’Brien, a senior security analyst for Sophos in Lynnfield, Mass.
“A phishing attack was discovered last November that was actually linking to the IRS Web site,” he told the E-Commerce Times.
“What would happen is, you’d click on the link in the e-mail and it would appear to be the IRS Web site and it would automatically divert you to another page asking you for your social security number and such,” he continued.
While the vulnerability at the IRS Web site, which has been corrected, aided phishers, it isn’t driving the tax scams, argued Bill Rosenkrantz, director of product management for consumer product and solution group at Symantec in Santa Monica, Calif.
“The fact that taxes happen at the same time every year makes them a good target,” he told the E-Commerce Times. “It’s like New Year’s Eve. Robbers know lots of people will be at parties, so it’s a good time to break into houses.”
Phishers are very opportunistic, he noted. They launched phishing campaigns around Hurricane Katrina relief and will launch bogus solicitations for political candidates during election years.
Phishers may also be quick to exploit publicized security breaches, Sophos’ O’Brien added. Sophos is currently studying that subject, trying to determine whether phishing attacks on target audiences increase based on the connection of the audience to a security breach reported in the media.
Tried and true techniques are being used in the IRS phishing attacks, according to Peter Cassidy, director of research for the Anti-Phishing Work Group in Cambridge, Mass.
“All these phishing scams follow two templates,” he told the E-Commerce Times. “We need your intervention for something good to happen or some reward to come to you, or you need to help us intercede so something bad doesn’t happen.
“With the IRS, phishers are guaranteed a very large cohort of people that will care about their messages,” he continued. “Someone may or may not have a relationship with an online retailer or bank that’s being spoofed, but everyone has a relationship with the IRS.”
Mike Ferraro, an agent in the Boston office of Geek Squad, a national computer service firm, offered some tips to avoid being hooked by phishers.
He recommended deleting all e-mails from unknown correspondents and ignoring all e-mail requests for personal information from institutions.
“Banks, the IRS and legitimate institutions won’t contact you by e-mail for that kind of information,” he told the E-Commerce Times.
If a request looks legitimate, Ferraro suggests calling the sender by phone to ensure legitimacy. “Don’t use the phone number listed in the e-mail. Call a number you have for the company,” he cautioned.
“Phishers will include a fake 800 number in their e-mail in case you don’t click on the link to their Web site in their e-mail,” he explained.