For filers anticipating this year's tax refund, it naturally comes as a welcome e-mail: "We have determined that you are eligible to receive a tax refund of [X] dollars. To access the form for your tax refund, please click here."Who wouldn't like to get a tax refund? And an e-mail message sporting the official Internal Revenue Service logo is hard to ignore.
In fact, hundreds, or perhaps by now thousands, of recipients of the bogus e-mail messages have followed the instructions and clicked the link, and many have entered their Social Security number (just as you would on the real IRS Web site), and other personal information, including bank card numbers and ATM card PINs.
Unfortunately, the message isn't from the IRS.
Instead, this is phishing, where an e-mail is sent to a user claiming to be from a legitimate enterprise (complete with official-looking graphics and logos) in an attempt to scam the user into surrendering private information that will be used for identity theft.
Security software maker Symantec recently released its semi-annual Internet Security Threat Report, in which it found that there are an average of 7.9 million phishing attempts made per day, a 39 percent increase over the first half of 2005.
And this latest ruse is timed to coincide with the season when people are most likely to have the IRS on their minds.
"The IRS does not use Web or e-mail to contact taxpayers," said Bruce Friedland, an IRS spokesman, who echoed the statements that the IRS has been making throughout the spring. And while the IRS hopes taxpayers don't fall for the scam, there are inevitably those who will give up their personal information when the lure of a tax refund is presented to them."
"I wouldn't agree that people are likely to comply with the request [to provide personal information], but even if it's very few, it's a deep concern to us," continued Friedland. "It's a growing and serious problem."
"Each year we see dozens of schemes emerge in filing season attempting to defraud or take advantage of taxpayers," said Friedland. "The IRS makes every effort to thwart these scams, identify and stop the perpetrators, and alert the public so that they don't fall prey. The rise of phishing schemes fits this pattern, and the IRS is making every effort to shut down spoof Web sites that attempt to take advantage of unsuspecting taxpayers."
The typical refund message shows a sender name of tax-refunds@irs.gov, admin@irs.gov or a similar moniker, and a subject line of "IRS Notification - Please Read This." In addition to the message describing the existence of a refund for the taxpayer, the message might contain a copy of the IRS logo and a statement indicating that the information is copyrighted by the IRS.
Other messages floating around this spring are titled "Refund Notice" and purport to offer information on the status of the taxpayer's refund.
If the person receiving one of these messages takes the bait and clicks a link in the message to begin the process of getting a tax refund or checking the refund status, the person is then taken to a Web site designed to look like an official U.S. government portal. Once on the site, personal information is requested. At least a dozen such Web sites in countries all across the globe have been identified and are being scrutinized by the Treasury Inspector General for Tax Administration.
"The information fraudulently obtained is then used to steal the taxpayer's identity and financial assets," the IRS explained in a release on the subject. "Typically, identity thieves use someone's personal data to steal his or her financial accounts, run up charges on the victim's existing credit cards, apply for new loans, credit cards, services or benefits in the victim's name, and even file fraudulent tax returns."
The people running the scams are taking advantage of the fact that virtually everyone is a possible victim.
"The way these tax attacks work is that they literally send to millions of e-mail addresses, and they only have to hit a small percentage of those people to be successful," said Dan Hubbard, senior director of security and research at Websense, a marketer and manufacturer of Web and desktop security software.
Many types of phishing messages appear to come from financial institutions, but by singling out a particular institution, the audience for the message is limited.
Not so with taxpayers.
"It's a huge pool of potential victims," Hubbard said. "Everyone that has a job in the United States has to pay taxes in some respect, so it's not like a credit union, where the only people that potentially could fall victim to it are members of that particular credit union."
"You can enter the IRS Web site by yourself," said Diane Conant, CPA and partner with Las Vegas-based Conant Nelson & Conant Ltd. "You can answer certain questions and they will allow you to access your account." Alternatively, "If you contact your accountant, we'll go to the Web site or contact the IRS for you."
"It's just like anyone else asking for information," Conant continued. "You don't want to respond to any of that. They use the right logos - it's so easy with graphics now."
So what's a person to do who receives such a message? There are a few important steps to follow, or to recommend to your clients:
1. Contact the IRS's scam patrol at (800) 366-4484.
2. Delete the message. Don't reply or click on the link. Just delete the message.
3. If you're actually waiting for a tax refund from the current year's tax return, go to the IRS Web site at www.irs.gov and click the "Where's My Refund?" link. Enter your Social Security number, your filing status, and the exact whole-dollar amount of your expected refund. That is the only information that you are required to provide. The IRS will immediately display a refund status report.
4. If you think you're owed a refund from a previous year, call the IRS at (800) 829-1040, or contact your accountant.
