Number of bogus IRS e-mails spikes

E-mails that fraudulently claim to be from the Internal Revenue Service to trick taxpayers into giving up personal information have increased significantly this tax season, according to the IRS and a security vendor.

For two years, the IRS has warned consumers about the fraudulent use of the IRS name or logo in "phishing" attempts in which criminals try to gain access to consumers' financial information to steal their identities and access banking accounts. In 2006, the agency established an e-mail address for victims to report incidents. As of March of this year, almost 34,000 emails were identified as phishing attempts -- 611 in the first few months of 2008. Of those attempts that occurred in 2007, the IRS was able to trace the code from the e-mails back to 862 individual phishing schemes.

But that number is likely just a small portion of the total. "This is a self reporting group," said IRS spokeswoman Michelle Lamishaw. "The group of people actually receiving them is much larger."

The total number of phishing incidents that have occurred this tax season is difficult to estimate, and those vary according to the source. Internet security software vendor Secure Computing says the number of phishing Web sites targeting the IRS increased 3,000 percent in January compared to January 2007. Secure Computing, based in San Jose, Calif., declined to provide the specific number of phishing attempts, saying they are proprietary. The company also reported an increase in the number of phishing Web sites that are targeting the Electronic Federal Tax Payment System. The majority were traced to locations in the United States. In terms of phishing attempts, Secure Computing identified 583 different fraudulent IP addresses sending e-mails on behalf of IRS.gov between Jan. 1 and Feb. 5 and more phishing scams in January than for all of the first six months of last year.

"We're also noticing other sites that offer tax-related services getting targeted -- accountants and tax service businesses, for example," said Paula Greve, director of Web security research at Secure Computing. "These [scams are coming] at taxpayer citizens on all sides, gaining hold of their information."

Phishing schemes have become more sophisticated, now including links that lead to fake but professionally designed Web sites and bogus interactive applications from the IRS. In one example, a link takes consumers to what appears to be the IRS "Where's My Refund" page, which asks taxpayers to check on the status of their tax refunds. The real IRS application asks for customers' Social Security number, filing status and the refund amount; the bogus page typically asks for additional personal information, including a bank account number. Some phishing scams pull from current events, such as claiming to relate to the economic stimulus package approved by President Bush or targeting organizations that distribute funds to other organizations or individuals. Often the scam e-mails claim to be sent by the director of the exempt organization's area of the IRS, asking recipients to click on a link to access a form that is typically a phishing attempt or download information on tax law changes that, in fact, downloads malicious code onto a taxpayer's computer that then can take over the hard drive and access files containing personal information.

"Anybody can spoof a Web site," Lamishaw said. "It's not that hard. They just capture all of the graphic elements and the font and so on, and then manipulate the information and questions."

No matter how sophisticated the e-mail, Lamishaw warns consumers not to be fooled. "IRS is not in the habit of sending unsolicited e-mails," particularly those that ask for any account-related information. "The few e-mails we send are of the newsletter sort -- where we're sending info to stakeholders. No one should expect anything, no matter how legitimate it looks."