(Don't) Click here for a tax refund

The number of fake IRS phishing sites has increased twelvefold in the last year

The Internal Revenue Service has become a popular brand with phishers, and with tax season under way we probably can expect to see plenty of e-mails purportedly from the IRS offering help with refunds and directing us to suspect Web sites.

In January, one anti-spam company reported that phony IRS e-mail accounted for 1 percent of all spam, Treasury Special Agent Andy Fried said Wednesday at the Black Hat Federal Briefings in Washington.

Phishing is the practice of directing computer users to malicious Web sites, often with official-looking e-mails with spoofed sender addresses, so that malicious code can be loaded on the victim's computer or personal and financial information can be stolen.

'We're nothing like Bank of America,' one of the favorite phishing targets, said Fried, who works in the Treasury inspector general's computer section.

The number of fake IRS phishing sites attempting to lure unwary or greedy taxpayers has grown steadily since they first appeared in 2003, Fried said. There now are approximately 1,600 such sites ' more than 12 times the number from last year.

'We do take the sites down,' he said. 'None of them are overly successful. In some cases they can be up for one hour, or two or three hours,' and may gather information on only one or two credit cards.

But each of the servers hosting phony IRS sites is likely to host multiple phishing sites. 'When we take down an IRS site, we're generally taking down other sites as well,' Fried added.

The scams are part of what former national cybersecurity director Jerry Dixon called 'motivated and persistent adversaries,' in his keynote address at the conference. 'It's all about the money. The hacking community is all grown up.'

The federal law-enforcement community is swamped by cybercrime investigations that often cross international borders and involve networks of thousands of compromised computers in multiple countries.

'We still have a long way to go to raise the security bar,' Dixon said.

In addition to phishing attacks using the IRS name to lure and intimidate, agents have begun seeing scams much like the familiar Nigerian money scheme, in which a taxpayer is asked to deposit a fee in an online account in order to receive an electronic tax refund.

There also have been 'vishing' attacks, in which phone calls fake caller ID numbers using a real IRS number. If the recipient of the call checks the number and finds it is for a real IRS voice mail system, he may be more likely to trust and give sensitive financial information to the caller.

Some security experts estimate that as many as one in 300 PCs is infected with malicious code that can be used to launch these attacks, but Fried said the number could be closer to one in 25 or even one in 10 computers.

'We're not making a dent,' he said. 'Things aren't going well out there.'

Under the recently enacted economic stimulus package, rebate checks for $600 to $1,200 will start going out to U.S. households in May. 'We're cringing,' waiting to see what kind of use phishers will make of that program, Fried said.

For the record, 'the IRS never initiates contact with taxpayers by e-mail,' Fried said. So you can delete all those offers and threats.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above