Tax season brings phishing and other scams
Two things to remember as you prepare to file your taxes: If you get an e-mail from the IRS, it's probably a scam. And don't forget the stamp.
As the April 15 tax filing date nears, online tax-related scams tend to ratchet up, experts say. If you're not careful, you could lose a lot more than just the refund.
"Filing your taxes online is extremely convenient, however if you want to maintain the privacy of your data, you need to ensure that you are connecting to the proper Web site, that the connection is using encryption, and that your computer is free from any malware. If any of these components are compromised then your data is not safe," Ryan Barnett, director of application security research for Breach Security, said on Friday.
"This would be like going to an ATM machine to withdraw money and allowing everyone around you to see your PIN number as you punch it in," he added.
Not only do people have to take precautions in storing and transmitting their data over the Internet, but they also have to be wary of social engineering-type ruses that scammers use to trick people into giving out their sensitive data.
Probably the most common type of tax season scam is the fake IRS phishing e-mail. These e-mails will either claim to be a tax refund or an offer to help file for a refund, settle tax debt, or other aid. (Not long ago, scammers were offering economic stimulus payments, even before the plan was approved.) They will provide a link to a Web site where the visitor is prompted to type in personal data like a Social Security number. Don't trust it, experts say.
"The IRS will never send you an e-mail, especially not to ask you for information," said Johannes Ullrich, chief technology officer of the Internet Storm Center at the SANS Institute security organization.
In its latest monthly spam report, Symantec has a list of the top 20 tax-related subject lines. The list includes: "rebate processor position - we need your help now," "do you owe tax debt? read on," "fast & accurate tax refund," and "$389 desktop, $499 laptop. Amazing tax season 2-day sale."
Also cropping up are fake tax Web sites that offer to electronically file or prepare taxes for individuals. They ask for information including bank account information for alleged refund automatic deposits. However, the sites just steal the data, which can be used for identity fraud and outright theft later.
Using search engines to find someone to prepare or file your taxes is also fraught with risk. Don't do a search on Google using generic tax preparation-related terms or you could get lured by one of the many fake tax-related Web sites, Ullrich said.
"Stick with a name you know, like a big tax office," and search for them or type the URL in the browser, he said.
The IRS has a list of companies that are authorized to do electronic filing but the IRS site doesn't include the exact Web address, according to Ullrich. The IRS site for free e-filing is here.
Beware of bargain prices
Scammers are also selling at bargain prices alleged tax preparation software that is actually bogus and which instead steals your data, said Breach Security's Barnett. "Don't just download the next best free tax preparation software package," he said.
Another potential risk comes from programs that may be on the computer that you don't know about, and not just malware. For instance, if teenagers using the same computer that the tax preparation is done on have downloaded peer-to-peer software make sure the settings on the application do not allow for access to areas on the computer where sensitive data, like tax information, is stored.
Given the propensity for inadvertent file sharing, it might be wise to not use peer-to-peer programs on the same computer where tax data is located, said Coley Hudgins, executive director of Arts+Labs, a venture formed by Microsoft, Cisco, AT&T, NBC, and the Songwriters Guild of America that opposes the use of peer-to-peer networks for sharing copyright-protected content.
Once you've filed your tax forms, don't just sit back and wait for the refund check to arrive. Take precautions to protect the data stored on your hard drive from being stolen by either encrypting it or copying it to a CD and then deleting it from the computer, experts advised.
To prevent against key-loggers that record every key stroke and send the data off to thieves, and other spyware, people should keep their antivirus and other security software updated and their operating systems and applications updated with the latest security patches.
In a sign that at least some people are being cautious, consumers who have filed using Intuit's TurboTax program have been reporting legitimate e-mails from Santa Barbara Bank as fraudulent spam because they link to a site that doesn't look like it is the bank's site, said Andy Klein, a product manager at security firm SonicWall. However, the bank is a transfer agent for the IRS and the Web site in the e-mail is legitimate, offering people a way to check on the status of their refund, he said.
People who don't trust a link should type the URL into the browser to go straight to the correct Web site, Klein said.
And as for anything related to tax filing, he said: "When in doubt, pick up the phone or go straight to the IRS Web site."
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
Just kidding. I actually just filed mine. I cut and pasted the appropriate urls coz I keep hearing stories of freaking phishing and MITM attacks. Next year I probably won't even efile out of general fear (and the fact that I don't really want to do my own taxes anymore, but that's a different issue).
One addition to the pointers here -- the IRS requires that all efiling sources use Extended Validation SSL encryption, due to the antiphishing protection and more comprehensive background check CAs demand. So, if you ain't seeing the green url bar, do NOT proceed --
http://blogs.pcmag.com/securitywatch/2008/11/irs_to_require_evssl_for_onlin.php
More detailed by google.
More detailed by google.
Of course the e-file is a prominent part of the ad on their website.
Net result. I owed a lot more tax using webfile than I did when I did my taxes on paper. Luckily I didn't actually "file" my web file taxes.
- by Steve_KTG April 13, 2009 11:09 PM PDT
- Where ever money is changing hands, especially in a frantic manner and in large amounts, scammers are there to get their piece. This article I read recently on when you do have* to give out your SSN http://www.justaskgemalto.com/en/personal-data/tips/when-should-i-give-out-my-social-security-number reminded me to be extra careful when dealing with taxes. Not that I have to worry about a bigger scam artist ever coming along than the good ol' IRS themselves..
- Like this Reply to this comment
-
(9 Comments)