The deadline for filing federal taxes was yesterday and Massachusetts residents have today as an extra day to file their state taxes, but cybercriminals impersonating the IRS in e-mail scams designed to steal your tax refund are just getting warmed up.
An estimated 95% of the e-mail moving across the Internet in the last three months — and purporting to come from IRS.gov — was fraudulent, according to results of an e-mail traffic survey supplied exclusively to USA TODAY.
Just like the sun rises in east and sets in the west, every year, come April, phishers who specialize in tax fraud come out to try to get you.
What’s more, cyber security experts warn that e-mail messages crafted to look like official IRS inquiries, but designed to steal personal information and reroute tax refunds to accounts controlled by organized theft rings, will continue at a high rate through May and June.
They’ll send an e-mail confirming they’ve received your tax return and need more information or that your online tax payment has been rejected and you need to log in and respond immediately.
Cybercriminals are well-versed in local, state and federal tax rules throughout the U.S. and in other nations. They use bogus forms that look authentic in order to trick a victim into divulging log-on credentials for tax authority websites and bank accounts. Or they’ll entice the victim into clicking a malicious attachment or Web link that turns control over to the attacker.
Tax scammers can find out if a tax return has already been filed, note the refund amount and modify where the refund should be sent. If the opportunity arises, they’ll file a faked return and route the refund into their hands.
Part of the reason bogus IRS e-mail continues to swamp the Internet this time of year is because the agency has not yet adopted a year-old technical standard called DMARC, an acronym for Domain-based Message Authentication, Reporting & Conformance.
DMARC standardizes how major online companies, such as Facebook and Netflix, prove the authenticity of legitimate e-mail sent to customers. Major Internet Service Providers as well as the major providers of free Web mail — Microsoft, Google, Yahoo and AOL — all support DMARC.
Any “phisher” that attempts to send a bogus Facebook or Netflix e-mail that uses the free e-mail services or ISPs supporting DMARC, gets blocked. DMARC has been lobbying the IRS to adopt the standard stating that companies and organizations need to take a proactive approach to protect their consumers from phishing attacks by implementing the DMARC standard. Until that happens, these types of attacks will continue to occur.
Remember the IRS will not attempt to contact you via email. Always verify the authenticity of the “sender” of any email request before complying and potentially opening yourself up to identity theft.
