It's tax season in the US. This week's "Is it spam?" features spampaigns that attempt to attract mail recipients into revealing personal information, including Social Security numbers, or electronic filing PINs. These are only a few of the scams that the US Internal Revenue Service (IRS) identifies annually in it's Dirty Dozen tax scams list. Some of these emails may contain word documents that masquerade as official tax forms but contain malicious macros.
This season's scams contain Subject: lines such as:
[Issue #:IRS099283746] For Your Record
New Message from IRS.gov
Your IRS Online Services Update
Your 2015 Electronic IP Pin!
View Your Tax Return Status
Tax Exemption Notification
As you can tell by this sample of Subject lines, tax fraudsters use several methods to hook victims. The most common are fear or uncertainty (tax error or delinquency), and greed (exemption notices). Tax fraudsters also play on tax payer impatience (check tax return status) or appeal to tax filers who are always looking for ways to save on taxes.
Tax fraudsters treat the IRS as a "brand". They will use the IRS logo. They'll replicate official looking forms. In short, they use conventional phishing techniques, so please follow the "how to avoid being phished" recommendations I and others publish. However, be particularly suspicious of the following:
- links that take you to sites containing official looking submission forms like those I show here.
- promises of larger or extraordinary refunds,
- offers to help you hide income or that will reveal hidden deductions for fees in advance
The IRS offers other specific advice for tax payers to avoid becoming a tax fraud victim. You may also want to check out IRS social media channels, including YouTube videos and IRS on Tumblr http://internalrevenueservice.tumblr.com (search “scam” to find scam-related posts).
If you do receive an IRS phishing email, please report it to the IRS and the AntiPhishing Working Group (APWG). You can also join the user campaign against phishing: add your phish to PhishTank.
You can follow this conversation by subscribing to the comment feed for this post.