By Jeff Horne, Director, Threat Research
As tax season rolls around again in the US and UK, it seems like a good time to revisit the perils taxpayers face seemingly every year at around this time.
Phishing attacks against taxpayers are already in full swing — not that they haven’t been going continuously since last year. But this is high season for scams involving Web pages that look like the IRS or HMRC’s own Web site.
Scam messages typically contain dire warnings or outrageously large promises for a refund. The messages often are presented as if they originate from a tax authority, but contain links leading to phishing Web pages, or malicious attached files.
These scam pages typically appear to look exactly like a page on the real IRS or HMRC Web site. If you receive such a message, don’t reply to the sender, don’t email any sensitive information, and don’t follow any link in the message.
The pages promise to automatically transfer a tax refund to the recipient’s bank account, if you only would provide the scam artist with your complete banking, credit card, and personal details.
Most of these fake Web pages don’t have www.hmrc.gov.uk or www.irs.gov immediately after the http:// in the URL—though many may include (in the American example) http://www.irs.gov somewhere else in the URL, as shown above. Not sure if the site you’re looking at is real? Try typing the URL into the Address Bar yourself.
Government tax collection agencies don’t contact taxpayers by email to let them know they’ve received a refund, and they already know where to send the money if you’ve chosen to e-file and asked them to electronically deposit your refund. They certainly don’t need to know your debit card’s PIN code, just to pick one dangerous piece of information typically requested in a bogus “refund form.”
And if you haven’t yet filed your taxes, but receive a “refund notification” email from the IRS (if you’re in the States), or the HMRC (if you’re in the UK), it is most likely a scam.
We’ve also seen numerous spam emails over the past year that claim to originate with various tax authorities which contain dangerous file attachments. If you receive a message, purportedly from the IRS (or some other government agency), which has a file attached, don’t open the attachment. Over the past year, we’ve also seen numerous spam emails that claim to originate with various tax authorities which contain dangerous file attachments. If you receive a message, purportedly from the IRS (or any other government agency), which has a file attached, don’t open the attachment.
Always download the latest updates to Windows, as well as any non-Microsoft applications (such as Adobe Reader, Foxit Reader, or whatever application you use to read .PDF documents). These updates can help prevent infections that take advantage of security vulnerabilities in those products.
When it comes to preparing and collecting the information you need to file your taxes, you should always start the same way: Perform a full scan of the computer with an up-to-date antivirus program. Do this before you log into your bank account or any other Web site that may hold your private financial data, including your online tax filing service, if you use one.
Remember that Web browsers sometimes transmit information insecurely, and that a nefarious user can sniff that information if you use an open, unencrypted wireless Internet connection, whether you happen to be in public (such as in a coffee house), or in your living room. If you plan to file your taxes online, or work with any Web site that holds your sensitive financial information, don’t use an open wireless connection to do it.
Surfing the Web to find tax information is also risky, especially if you use search engines. Poisoned search results may inadvertently lead you to dangerous sites. Instead, go directly to http://www.irs.gov or http://www.hmrc.gov.uk to download your tax forms or retrieve information. For state taxes, go directly to your state’s Web site and search there. (Click here for a list of all US state Web sites).
I’d also recommend that you use a browser other than Internet Explorer to file taxes. If you use Firefox, consider installing the NoScript, AdBlock Plus, and the HTTPS Anywhere add-ons, which, in combination, capably prevent most Web-borne threats from causing infections, and protect your logins from sniffing.
Finally, when you’ve finished filing your taxes, collect your forms and tax return documents and burn them to a CD or DVD, which you file in a folder somewhere. Delete the tax record documents and returns from your computer’s hard drive (preferably using a utility that can perform a secure wipe of the data), and clear the browser’s cache using the browser’s own privacy settings.