29
Mar 11

IRS Scam: Phishing by Fax

facebooktwittergoogle_plusredditpinterestlinkedinmail

Scammers typically kick into high gear during tax season in the United States, which tends to bring with it a spike in phishing attacks that spoof the Internal Revenue Service.   Take, for example, a new scam making the rounds via email, which warns of discrepancies on the recipient’s income tax return and requests that personal information be sent via fax to a toll-free number.

A new phishing campaign that began sometime in the last 24 hours is made to look like it was sent from irs@irsonline.gov, and urges recipients to fill out, print, and fax an attached PDF tax form. From the scam email:

*This is in reference to your 2010 U.S. Individual Income Tax Return we seem to have some discrepancies with your filing. If you have already filed for your 2010  tax refund please get hold of a new form 1040 and
mail it to the  Department of the Treasury in your region.*

*If for any reason you have not yet filed for your 2010  Individual
Income Tax Return please print out the attached PDF form, fill it and
fax it to the IRS data center on (866) 513-7982 within 24 hours.*

*This has no bearing on your 2010 U.S. Individual Income Tax Return,
this to update our data and survey while we prepare to close the 2010
tax filing season.*

*Thank you *

That 866- phone number is currently returning a fast-busy signal, which suggests either that a lot of people are falling for this scam, or that anti-scammers are speed-dialing the number in a bid to prevent would-be victims from faxing in their forms. My guess is that this scam is tied to some kind of automated service that scans faxes and then emails the phishers copies of the scanned images.

It’s worth noting that the data requested in this bogus IRS form includes the Social Security number, e-File PIN and adjusted gross income, all of which are crucial pieces of information that the IRS uses to authenticate taxpayers.

The IRS has been careful to note that while it may conduct follow-up correspondence with taxpayers via email if the taxpayer chooses to communicate that way, it will never reach out to taxpayers via email. Consumers can report any tax-related phishing scams to phishing@irs.gov.

Tags: , , ,

12 comments

  1. If the line is busy from anti-scammers flooding it with calls, I say Good for them!

    Making the call toll-free may make it easier to reel in the gullible, but it also makes it easier for the anti-cammer activists to shut them down.

    • Brian, I should also say “Thank you” for including that number.

      Nudge, nudge, wink, wink, Say no more, Say no more?

      • I get a slow busy signal but the rhythm isn’t quite regular: beep … beep … beep …… beep … beep …… beep

        I’ve never heard anything like that calling a US phone number.

  2. I can’t help but wonder why none of the humorous “human-interest stories” on the news for tax season never seem to mention this sort of thing.

  3. Phishing – where you are the game

    Fishing – where you are the hunter

    Which one would you prefer? If more people thought about this a bit more, they wouldn’t fall for phishing!!! DOH! :)

  4. A good clue that a message may be a scam is the grammar.
    That’s why it’s usually easy to spot Nigerian scams, for example.

    The “IRS” letter raised grammatical flags: Run on sentences, missing commas and unneeded or inappropriate words.

    (A run-on sentence is a sentence in which two or more independent clauses (i.e., complete sentences) are joined without appropriate punctuation or conjunction.)

    Run on sentence 1:

    *This is in reference to your 2010 U.S. Individual Income Tax Return we seem to have some discrepancies with your filing.

    If you have already filed for your 2010 tax refund [comma needed here] please get hold of a new form 1040 and mail it to the Department of the Treasury in your region.*

    *If for any reason you have not yet filed for ["for" unnecessary] your 2010 Individual Income Tax Return [comma needed here] please print out the attached PDF form, fill it and fax it to the IRS data center on ["at" not "on"] (866) 513-7982 within 24 hours.*

    Run on sentence 2:

    *This has no bearing on your 2010 U.S. Individual Income Tax Return this is required to update our data and survey while we prepare to close the 2010 tax filing season.*

    Brian, our English majors finally pay off!

    • Unlike the Nigerian scams, their English is much better. Many times you can spell a word incorrectly and if you have the beginning and ending right with the middle part out of order – the brain will correct the center for you, sometimes we don’t even notice it. Same with punctuation in some cases. However if we’re going to get into the few grammar errors, I do believe you missed one…

      *If for any reason you have not yet filed for ["for" unnecessary] your 2010 Individual Income Tax Return [comma needed here] please print out the attached PDF form, fill it and fax it to the IRS data center on ["at" not "on"] (866) 513-7982 within 24 hours.*

      Shouldn’t the end read – “fill it out and fax it…”?

      Sadly I think most of these are small enough not to set off major warning flags to the majority of people who receive it. And since they have you faxing it instead of emailing it back – it almost gives a little more credibility to it. Many people seem to disregard the fine print which tells them what info companies will never ask them for anyway.

      I will hope the lines stay busy to help protect those who would fall for it. Hopefully after not being able to fax it in, they’ll go to the IRS page and call someone and stop trying to fax it… or if we’re really lucky the fax line will be shut down completely and never back up.

    • There’s no way
      “get hold of” would appear in legit IRS text.

  5. I’m curious if there are any specifics on what the exact name of the attached PDF file is? Might be good to know for the Network Analysts and Threat Analysts out there who monitor their infrastructures…

  6. Thank you, T.Anne, Al, and AlphaCentauri.
    Good points all.

    John

  7. Here we stand 5 months later (August 4, 2011) and the fax number (866) 513-7982 is still operational. I guess the busy signal was due to actual people sending over their papers, not because of anti-spammers.


Read previous post:
Microsoft Hunting Rustock Controllers

Who controlled the Rustock botnet? The question remains unanswered: Microsoft's recent takedown of the world's largest spam engine offered tantalizing...

Close