Skip to main content

Beware of tax refund 'phishing' scams

Scores of fake sites tempt Web users with schemes posing as IRS

By Marsha Walton




Internal Revenue Service (IRS)

ATLANTA, Georgia (CNN) -- It's just the news that hardworking taxpayers want to see in their inbox: an update on their refund from the Internal Revenue Service.

But instead of clicking on that e-mail's links, federal officials advise you to hit the delete key.

That's because dozens of scams, known as "phishing" schemes, are making the rounds, poised to steal your personal information.

"This phishing scheme is exploding," said IRS Commissioner Mark Everson.

"Last year we got wind of seven different kinds of schemes. That was in all of 2005. This year we've already seen 65."

Even the commissioner of the New York State Department of Taxation and Finance got one of the phishing e-mails -- on his government computer.

"It's a reflection of how brazen these crooks have become," Commissioner Andrew Eristoff said.

"Here they are targeting a tax administrator with a tax refund scam. Unbelievable," he said.

Phishing is an e-mail trick that "lures" users with a promise of money or an urgent security warning that asks users to update their information. But instead of going to a financial institution or the government, the precious personal data goes to identity thieves.

IRS doesn't e-mail taxpayers

At least during this tax season, Internet users don't even have to try and distinguish real from fake information from the IRS. Anything you get in your inbox with an IRS address is a fraud.

"We do not communicate with taxpayers by e-mail so no one should respond to an e-mail purporting to be from the IRS," Everson said.

Bogus offers on the Internet are nothing new. But sneakiness and sophistication have reached a level that can fool just about any user at one time or another.

Computer researchers are studying what makes fake sites so believable, with a goal of helping Web designers beef up security.

Rachna Dhamija, a postdoctoral fellow at the Center for Research on Computation and Society at Harvard University, said anyone can be duped.

"In our study, users proved vulnerable across the board to phishing attacks," Dhamija said. "Neither their age nor their previous experience with the Web site nor their level of education had any impact on their ability to distinguish a phishing Web site from a legitimate Web site."

Researchers at Harvard and the University of California, Berkeley, showed a series of real and fake Web sites to 22 people, all staff or students at UC Berkeley. Their ages ranged from 18 to the mid-60s.

"Some of our most educated users and most cautious users were also very surprised at their inability to detect the legitimate versus phishing Web sites," Dhamija said.

The "best" of the "worst"?

The site that fooled 90 percent of study participants was an exact replica of the legitimate Web site of the Bank of the West. But in the address bar, instead of the word west being spelled with a w, it was spelled with two v's. That was tough for users to spot, Dhamija said.

Many phishing Web sites prey on the fears users have of making their personal information vulnerable. E-mails will arrive from banks, credit card companies or Internet Service Providers with urgent warnings to "update your account now!"

One way users can protect themselves is to lessen the chance of landing on a phishing site in the first place.

"One way to do that is to never click on a link from an e-mail. Users should always type in the URL directly into the address bar," Dhamija said. "For example, if they want to go to the IRS Web site, they need to type"

And Internet users should always check to make sure they don't have a typo in the address. That's a common tactic of criminals, to create a bogus site that is a letter or two off from a legitimate one.

"If users visit Web sites frequently, a financial Web site for example, they should bookmark that site or save it in their "Favorites" in the Internet Explorer browser," Dhamija said.

Will e-mail be a part of IRS communication in the future?

"Over 50 percent of returns are now filed electronically," Everson said. "That is safe, that is secure. We look at the further use of technology, but right now, all I can say is we do not reach out and communicate with taxpayers by e-mail."

Story Tools
Subscribe to Time for $1.99 cover
Top Stories
Get up-to-the minute news from CNN gives you the latest stories and video from the around the world, with in-depth coverage of U.S. news, politics, entertainment, health, crime, tech and more.
Top Stories
Get up-to-the minute news from CNN gives you the latest stories and video from the around the world, with in-depth coverage of U.S. news, politics, entertainment, health, crime, tech and more.

© 2007 Cable News Network.
A Time Warner Company. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines. Contact us. Site Map.
Offsite Icon External sites open in new window; not endorsed by
Pipeline Icon Pay service with live and archived video. Learn more
Radio News Icon Download audio news  |  RSS Feed Add RSS headlines