Get the latest tech news How to check Is Temu legit? How to delete trackers
TECH
Seattle

Bogus IRS e-mail swamps the Internet yet again

Byron Acohido, USA TODAY
This bogus IRS e-mail lures the recipient into clicking on a tainted PDF attachment
  • Faked messages part of scams to divert your tax refund to cyberthieves
  • Crooks will tweak messages and continue scams through May and June
  • IRS urged to embrace e-mail security standard that could stymie scammers

SEATTLE -- The deadline for filing taxes may expire today , but cybercriminals impersonating the IRS in e-mail scams crafted to steal your tax refund are just getting warmed up.

An estimated 95% of the e-mail moving across the Internet in the last three months -- and purporting to come from IRS.gov -- was fraudulent, according to results of an e-mail traffic survey supplied exclusively to USA TODAY by messaging security firm Agari.

"Like the sun rises in east and sets in the west, every year, come April, phishers who specialize in tax fraud come out to try to get you," Agari CEO Patrick Peterson says.

What's more, security experts warn that e-mail messages crafted to look like official IRS inquiries, but designed to steal personal information and reroute tax refunds to accounts controlled by organized theft rings, will continue at a high rate through May and June.

"They'll send e-mail confirming they've received your tax return and need more information," says Limor Kessem, cybercrime and online fraud specialist at RSA's anti-fraud command center in Tel Aviv, Israel. "That's an e-mail you should delete immediately."

Cybercriminals are well-versed in local, state and federal tax rules throughout the U.S. and in other nations. They'll use bogus forms to trick a victim into divulging log-on credentials for tax authority and bank accounts. Or they'll entice the victim into clicking a malicious attachment or Web link that turns control over to the attacker.

Patrick Peterson is CEO of Agari

In short order, tax scammers can find out if a tax return has already been filed, note the refund amount and modify where the refund should be sent. If the opportunity arises, they'll file a faked return and route the refund into their hands, says Kessem.

Part of the reason bogus IRS e-mail continues to swamp the Internet this time of year is because the agency has not yet adopted a year-old technical standard called DMARC, an acronym for Domain-based Message Authentication, Reporting & Conformance.

DMARC standardizes how major online companies, such as Facebook and Netflix, prove the authenticity of legitimate e-mail sent to customers. Major Internet Service Providers Comcast and China's NetEase, as well as the major providers of free Web mail -- Microsoft, Google, Yahoo and AOL -- all support DMARC.

Any phisher who tries to send a bogus Facebook or Netflix e-mail that uses the free e-mail services or ISPs supporting DMARC gets blocked. DMARC has been lobbying the IRS to adopt the standard.

"Companies and organizations need to take a proactive approach to protect their consumers from phishing by implementing the DMARC standard," says Peterson, who helped draft the standard. "Until then, these types of attacks will continue to occur."

Featured Weekly Ad