IRS Web site opens door to phishers

A new IRS site that allows taxpayers to check on the status of their refund checks could lead to users being phished.

Chris Soghoian

Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society , and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/.

See full bio

Chris Soghoian

May 8, 2008 9:40 a.m. PT

2 min read

A new IRS Web site that allows taxpayers to check on the status of their refund checks could lead to users being phished.

The new "Where's my stimulus payment?" site asks taxpayers to enter in their Social Security number, and a few other trivial bits of information before informing the user of the amount of their refund, and the date it will be sent out.

While no doubt useful, this Web site sets a horrible example, and encourages dangerous behavior by users. Furthermore, in the hands of someone who knows the last four digits of a taxpayer's Social Security number, it could be used as an oracle (by submitting multiple requests) to determine the full SSN of a taxpayer.

Screenshot of the IRS Stimulus Website Christopher Soghoian

The IRS is frequently mimicked by phishers. The agency even goes so far as to offer advice on its site, debunking many common phishing attacks. Furthermore, agency has shut down more than 1,600 phishing sites claiming to be the IRS in the past few years.

From a security education perspective, it is a really bad idea to have such a form on the official IRS Web site. The IRS should not be training users (via positive reinforcement) to enter their full Social Security numbers into Web sites. It is bad enough that credit cards and banks require us to do so when signing up. The IRS has an existing relationship with every tax-paying citizen. It does not need to use our SSN to authenticate us, and could use one of many other bits of information.

Secondly, the URL, http://sa2.www4.irs.gov/irfof/IRServlet?app=IRACTC is simply horrible. The vast majority of users will have no idea if this is a legitimate Web site or not. Why could they not select something a bit more readable, such as "www.irs.gov/stimulus".

At the very least, the IRS should authenticate users with additional information (such as the amount of federal taxes paid in 2008). It already does this for users who wish to e-file. This would at least stop the site being used as an oracle to confirm/guess someone else's SSN.

To see why this is such a bad idea--look at the image below of a phishing scam claiming to be an IRS refund Web site. Now look at the image above, the IRS's new refund status site. Can we really expect most users to tell the difference?