First the bad news.
Americans are terrible at recognizing bogus emails until it's too late. But even corporations with seemingly sophisticated security checks in place can fall victim to hackers. Last week's coordinated attacks that hit at least five US banks offered another -- expensive -- reminder of how little we've learned despite years of hectoring by cybersecurity wonks.
Now the worse news.
Even though browsers, Internet service providers and employers weed out more cyber-booby-traps than ever, scam artists keep managing to find ways to separate you from your wallet. And they're quite good at it, applying social-engineering techniques perfected through long practice phishing the Internet to work their myriad cons.
And they're finding ways to ply their tradecraft on both sides of the digital-analog divide, such as this doozy: Starting last fall, scammers began passing themselves off as investigators for the Internal Revenue Service. Using the Internet, it was easy to find names, addresses and phone numbers of would-be victims who they are calling to threaten with arrest for failing to pay their taxes. They're also sending out phony IRS emails to back up their phone calls. Presto! You're a victim of social engineering. Who said cybercrime has to mean mucking about in software code?
The choice of the IRS was a stroke of genius. Even if someone fully pays Uncle Sam, there's always going to be doubt left in their minds. We've all been there: Did I cut one too many corners claiming deductions? Did my accountant get a bit too creative? Did I flub basic math and add wrong? Any and all of the above?
And the bad guys are still working it. The US Treasury Department's Inspector General J. Russell George has described it as "the biggest scam that we've seen this year."
As of mid-August, some 90,000 people had called a government hotline to notify authorities. Truth be told, the phony IRS agents do make a convincing sales pitch.
I ought to know: I was one of the folks they targeted.
Fork over your money, bub
"This is Richard Harris of the Department of Legal Affairs for the US Treasury," announced the voice on the other end of the line when I picked up the phone this week.
"Harris" informed me that my wife had failed to pay her 2009 taxes to the IRS and that a policeman was coming to our home.
"You're in violation of the law and your wife will be arrested," he said. What's more, he told me the last four numbers of her Social Security number.
Truth be told, my heart skipped a beat when I heard the words "police" and "IRS" in the same sentence. You'd be hard-pressed to find a US institution more feared. And since anybody of sound mind wants to remain on the agency's good side, I paid close attention as "Harris" ran through his bill of particulars -- just in case.
But it didn't take long to figure out what was going on. When I kept interrupting with questions, he turned surly. This was not standard procedure.
"Excuse me, pal, but you don't really work with the IRS, do you?" I said, adding a few choice suggestions that can't be reproduced in a family publication. Harris responded in kind and hung up the phone.
Unfortunately, all too many people are still getting taken in by the hoax.
"People in general are so naive about this stuff," said Robert Siciliano, a McAfee online security expert. "They want to believe that the person on the other end is actually real. It's much more convenient and pleasant to believe that the person calling you is legit. We don't want to believe that evil is calling us."
But it is.
The IRS says the ruse has so far taken in about 1,100 victims who have lost an estimated $5 million, according to the Treasury Department, making it the largest ever phone fraud in the US.
I've since tried calling "Harris" for further comment but the folks answering the calls -- on what's obviously a spoofed phone line --- hang up immediately after I identify myself as a reporter. Shocking, I know.
And it's likely to get worse. So-called "sucker lists" are now available for purchase that contain names and contact information of people who have fallen previously for similar phone scams. And the lists get longer each year.
The target profile is usually someone 55 or older -- particularly people older than 70 who are less savvy to these scams and more trusting than someone who grew up with the Internet.
Consumer game plan
It's something they're going to have to get used to as the new normal. What with the dramatic uptick in robocalls, anyone can now jump on the bandwagon -- including scammers. The message might even sound as if it's coming from Citibank or Bank of America and even include the same voice-over from the bank in their script and then follow it up with an email.
"It's difficult, if not impossible to stop," says Siciliano.
The IRS has published pointers on its website to help identify the scams.
Your first contact with the IRS will not be a call from out of the blue.
If the person on the phone starts getting angry or threatening, hang up.
The IRS is not going to call and demand credit or debit card payment over the telephone. By the same token, the agency won't insist on specific ways to pay your tax bill.
The scammers may call later pretending to be from the police or the Department of Motor Vehicles, using faked phone numbers that may show up on caller ID. IRS spokesman Mark Hanson says that scammers are now able to spoof the caller ID and in some instances your phone will show an IRS number. But if you called the IRS, you'd discover that it was a scam.
"One thing we are telling people is to try and recognize these scams up front so you don't fall into a trap," Hanson told me.
That's getting harder all the time.