Tax season brings phishing and other scams

As the April 15 tax filing deadline approaches, security experts warn people to beware of phishing scams and fake tax-filing Web sites and tax preparation software.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read

Two things to remember as you prepare to file your taxes: If you get an e-mail from the IRS, it's probably a scam. And don't forget the stamp.

As the April 15 tax filing date nears, online tax-related scams tend to ratchet up, experts say. If you're not careful, you could lose a lot more than just the refund.

"Filing your taxes online is extremely convenient, however if you want to maintain the privacy of your data, you need to ensure that you are connecting to the proper Web site, that the connection is using encryption, and that your computer is free from any malware. If any of these components are compromised then your data is not safe," Ryan Barnett, director of application security research for Breach Security, said on Friday.

"This would be like going to an ATM machine to withdraw money and allowing everyone around you to see your PIN number as you punch it in," he added.

Not only do people have to take precautions in storing and transmitting their data over the Internet, but they also have to be wary of social engineering-type ruses that scammers use to trick people into giving out their sensitive data.

Probably the most common type of tax season scam is the fake IRS phishing e-mail. These e-mails will either claim to be a tax refund or an offer to help file for a refund, settle tax debt, or other aid. (Not long ago, scammers were offering economic stimulus payments, even before the plan was approved.) They will provide a link to a Web site where the visitor is prompted to type in personal data like a Social Security number. Don't trust it, experts say.

"The IRS will never send you an e-mail, especially not to ask you for information," said Johannes Ullrich, chief technology officer of the Internet Storm Center at the SANS Institute security organization.

In its latest monthly spam report, Symantec has a list of the top 20 tax-related subject lines. The list includes: "rebate processor position - we need your help now," "do you owe tax debt? read on," "fast & accurate tax refund," and "$389 desktop, $499 laptop. Amazing tax season 2-day sale."

Also cropping up are fake tax Web sites that offer to electronically file or prepare taxes for individuals. They ask for information including bank account information for alleged refund automatic deposits. However, the sites just steal the data, which can be used for identity fraud and outright theft later.

Using search engines to find someone to prepare or file your taxes is also fraught with risk. Don't do a search on Google using generic tax preparation-related terms or you could get lured by one of the many fake tax-related Web sites, Ullrich said.

"Stick with a name you know, like a big tax office," and search for them or type the URL in the browser, he said.

The IRS has a list of companies that are authorized to do electronic filing but the IRS site doesn't include the exact Web address, according to Ullrich. The IRS site for free e-filing is here.

Beware of bargain prices
Scammers are also selling at bargain prices alleged tax preparation software that is actually bogus and which instead steals your data, said Breach Security's Barnett. "Don't just download the next best free tax preparation software package," he said.

Another potential risk comes from programs that may be on the computer that you don't know about, and not just malware. For instance, if teenagers using the same computer that the tax preparation is done on have downloaded peer-to-peer software make sure the settings on the application do not allow for access to areas on the computer where sensitive data, like tax information, is stored.

Given the propensity for inadvertent file sharing, it might be wise to not use peer-to-peer programs on the same computer where tax data is located, said Coley Hudgins, executive director of Arts+Labs, a venture formed by Microsoft, Cisco, AT&T, NBC, and the Songwriters Guild of America that opposes the use of peer-to-peer networks for sharing copyright-protected content.

Once you've filed your tax forms, don't just sit back and wait for the refund check to arrive. Take precautions to protect the data stored on your hard drive from being stolen by either encrypting it or copying it to a CD and then deleting it from the computer, experts advised.

To prevent against key-loggers that record every key stroke and send the data off to thieves, and other spyware, people should keep their antivirus and other security software updated and their operating systems and applications updated with the latest security patches.

In a sign that at least some people are being cautious, consumers who have filed using Intuit's TurboTax program have been reporting legitimate e-mails from Santa Barbara Bank as fraudulent spam because they link to a site that doesn't look like it is the bank's site, said Andy Klein, a product manager at security firm SonicWall. However, the bank is a transfer agent for the IRS and the Web site in the e-mail is legitimate, offering people a way to check on the status of their refund, he said.

People who don't trust a link should type the URL into the browser to go straight to the correct Web site, Klein said.

And as for anything related to tax filing, he said: "When in doubt, pick up the phone or go straight to the IRS Web site."