It’s tax time again, and the online scammers are crawling out of the woodwork. Their goals are to intercept personal information about taxpayers nationwide, and in some ways, they may be benefiting from the IRS’ push for people to electronically file their returns.
Some scammers are “phishing” taxpayers by sending emails that claim to be from the IRS. They might ask for recipients’ names, Social Security numbers and addresses in order to claim refunds, or they may ask the recipient to confirm that information.
Many set up fake Web sites offering free tax preparation software or tax prep services.
Others send out emails offering bogus stimulus package payments or tax refunds.
E-Filing: A Mixed Blessing
“Your fast, easy alternative to filing paper returns!” reads the blurb on the IRS page about e-filing for individuals, which boasts that 90 million people used e-file in 2008. The page outlines the benefits to filing one’s taxes online, such as faster refunds, greater accuracy, and secure and confidential submission.
Taxpayers have turned to the Web in droves to deal with tax issues. More than 138 million people visited the IRS site in the first three months of this year, compared to 111 million during the same period in 2008, according to the agency.
That’s all well and good, but the move to online filing also opens the door to scammers.
Taxpayers should beware of Web sites that may resemble IRS.gov — the official IRS Web site — but end in .com, .net, .org, .biz or any other domain name extension, the IRS warns.
It’s easy to spot the fake Web sites, though, because they often ask for visitors’ personal and financial information, IRS spokesperson Michelle Lamishaw told the E-Commerce Times. “We do have the information we need normally, and the type of information scammers request is not the information we need, such as passwords of consumers’ accounts.”
Phishing is a type of fraud that occurs when people misrepresent themselves in an effort to get others to tell them sensitive information — such as usernames, passwords and credit card details. Phishing can be undertaken through email or Web sites designed to get visitors to provide sensitive info in hope of a reward or prize.
The Obama administration’s stimulus package has stoked the imaginations of countless phishers.
“There have been many stimulus-related scams out there since the package was announced,” David Harley, director of malware intelligence at antivirus vendor Eset, told the E-Commerce Times.
Often, taxpayers get emails claiming they still have more money from their stimulus checks sitting in the Treasury, and all they have to do is fill out a form with their personal information and fax or email it back, Scott Stevenson, founder and CEO of EliminateIDTheft, told the E-Commerce Times.
“That’s a scam,” he said. “The IRS won’t ask you for that information.”
Emails purporting to be from the IRS are usually flat-out fakes.
“We do not send out emails to the typical taxpayer,” the IRS’s Lamishaw said, “and we would never send out emails telling taxpayers they’re due for a refund or asking them to send us their personal and financial information.”
Polishing the Scams
As consumers become more savvy about phishing scams, online fraudsters are doing everything they can to add credibility to their cover stories. For example, many phishing emails include personal information such as the last four digits of the recipients’ Social Security numbers, EliminateIdentityTheft’s Stevenson said. It may encourage the recipient to let his or her guard down, believing he or she has done business with the sender before.
However, that information is readily available from data brokers.
The growth of social networking sites, whose members readily put information about themselves on the Web, and the frequency of corporate and government data breaches have made such personal information commonplace and cheap. “The price used to be (US)$10 to $20 a name, and now it’s $5 to $10 because this information is more readily available now,” Stevenson said.
Some scammers are not just content with sending emails claiming to be from the IRS; they add in details to make their emails look more official in order to add credibility. “They use the logo of the IRS or Treasury Department, and sometimes they use the name of a real IRS executive or make up a name,” the IRS’s Lamishaw said.
For example, one phishing attack from the email address “firstname.lastname@example.org” includes an IRS logo, according to a blog post on Eset’s Web site by Randy Abrams, the vendor’s director of technical education.
No Such Thing as a Free Lunch
Another common scam is to offer free tax preparation software packages online. These contain malware that can infect victims’ PCs.
A quick search online for free tax prep wares turned up a plethora of results. Sure, sites for TurboTax and the actual IRS were among the results, but there were also lots of lesser-known sites offering free online tax preparation. Some may be legit companies, others not so much.
“Don’t just download the next free tax preparation software package you see,” Ryan Barnett, director of application security research at Breach Security, told the E-Commerce Times.
Taxpayers should especially beware of sponsored links on Google searches, as scammers often invest a few hundred dollars to buy prominent placement and lure in victims.
Taking Action Against Scammers
Those who have received phishing emails or have visited a fraudulent Web site can send the email or the Web site’s URL to the IRS at email@example.com. If they can provide the email’s Internet header, the IRS can trace it back to the hosting server and ask the host to remove that address, the IRS’s Lamishaw said.
The IRS also has a page on its Web site explaining how to identify and report online scams. Lamishaw said the IRS will soon post alerts about scams.
Taxpayers looking for a tax filing service should get one approved by the IRS, EliminateIDTheft’s Stevenson said. That information is available on the IRS site.
One other thing taxpayers should do is make sure their computers are not infected with spyware.
“Run a full antivirus and spyware scan,” Breach Security’s Barnett advised.