Every year, same routine: it's tax season and the sharks are circling their prey ...
Heavens no! We're not talking about your dedicated public servants! No, we're talking about another e-mail scam intended to further deplete your funds.
This one was too good to waste, so we shared it with the Federal Trade Commission (e-mail firstname.lastname@example.org) and the IRS (e-mail email@example.com).
Here's how it looks. Do NOT try to use any of these addresses! We have added spaces to prevent them from working.
Tax Refund Notification!
Internal Revenue Service Departament Notice.
After the last annual calculation of your fiscal activity we have determined that you are eligible to receive a tax refund of $192.50 .
Please click on the following link, submit the tax refund request and allow us 6-9 business days in order to process it.
http:// www.irs.gov/ tax-refund/
If we do no appropriate records within 48 hours, then will assume this email is invalid and the refund will be suspended.
Whether or not you've read our Security page in Trade Secrets, what suspicious clues do you see?
First, if you've ever read anything at www.irs.gov, you'll know it is terminally dull, massive, and complex, with nearly flawless grammar and spelling. It is unlikely you will see exclamation marks ("!") or any hint of groveling.
The sender's e-mail address was spoofed. The e-mail headers revealed a complex temporary id. It wasn't even a good spoof: "irsgov.com" is not "irs.gov".
Gee whiz - this e-mail was sent to no one! It certainly shouldn't be in your in-box.
"Tax Refund Notification!" Would the IRS share your joy, or would they write this entire line in capital letters with no punctuation?
What, exactly, is a "Departament"? A demented apartment? A dental appointment? A (Latin) Departamente? A department of what? The government loves titles; the scammer overlooked that.
"... allow us ..."?? IRS Rule# asdf7345bso87-ad.f87.g69 "forbids putting those two words in such close proximity." (We're joking, of course - that rule number is fictitious.)
You can't see it, since we disabled the link, but lurking beneath the spoofed www.irs.gov address, the real destination (we added spaces) is:
http:// www-irs-gov-id-session-9uf4389fu43898uj .id-890421 .com/ aspnet_client/ refund/ irs/ index.htm ?TAX=REFUND=192.50 $=ID=I98FJUNIK43NG38I4UHYBI
This was immediately obvious when we moused over the live link. The domain name "id-890421.com" certainly isn't "irs.gov".
"Please Note:" - we noted that the next meaningless sentence proves the scammer's laziness and stupidity. He even reveals his timing:
He will probably send out a few hundred thousand e-mails over the course of 48 hours, then leave his temporary website running for 6-9 business days to steal financial data from unwary respondents.
Then his site, and their money, will vanish. Their Social Security numbers and other credentials will return a large profit as well.
After we sent this to firstname.lastname@example.org, their auto-responder sent back the following e-mail. We reproduced the live links so you can use them.
This is an automatic reply from the Internal Revenue Service (IRS) Online Fraud Detection and Prevention (OFDP) team.
We have received your report of possible phishing or fraud. Although we review and investigate each email we receive, due to the number of incident complaints, we cannot guarantee a personal response to your message.
Please note that the IRS does not contact individuals by email; so if you received an email claiming to be from the IRS it is a phishing attempt and should be reported to us.
Additional information on IRS phishing can be viewed here:
Additional information on avoiding phishing scams can be viewed here:
The IRS values your report, and encourages individuals to report future IRS phishing/fraud to email@example.com so that we can handle these incidents and limit the number of possible victims.
To limit email volume, you will only receive one auto-response per day for any of your submissions.
Thank you for your report.
If you do report scam e-mail for investigation, make sure the original e-mail is included in your forwarded message, but do not add comments or change anything in the message or subject line. If you know how, include the e-mail headers above the message.