RealTime IT News

Why You Shouldn't Trust (Some) IRS E-mail

WASHINGTON -- At the heart of the U.S. Government's ability to raise funds is the Internal Revenue Service. It stands to reason that hackers find it a useful target.

During a keynote address before a capacity crowd at the Black Hat security conference here, Treasury Department Special Agent Andy Fried discussed in general terms how the IRS is being attacked and what it's doing about it. [cob:Special_Report]

But first, a little history. The first IRS phishing site appeared in 2003, the second in 2004, he noted. Both were quickly shuttered. Today, IRS estimates that over 1600 IRS phishing sites are operating or online at any given time, just looking for potential victims to hand over sensitive data about themselves.

In addition to phishing attempts, Fried noted that the IRS has tracked incidents in which citizens received pretexting calls -- as in a call on a pretext of someone claiming to be from the IRS.

"When people impersonate the IRS, it's a problem," Fried said. "We're seeing calls originate with VoIP and spoofed caller ID. One actually used the voice mail number for the IRS for the caller ID number."[cob:Related_Articles]

Then there are the eFile and Tax rebate scams that fraudsters try out with the help of spoofed e-mail. "None of the IRS scams are overly successful," Fried noted.

But don't forget about the relative value of money in all these attempts to fool customers into turning over their financial data, he continued. For some phishers, especially those working offshore, the money they can steal from one person's data is greater than what they could earn in their home country in a month.

The IRS is trying combat the phishers in many ways, including raising public awareness as well as pursuing aggressive identification and shutdown.

According to Fried, in January, 1 percent of all spam e-mails were IRS phishing scams. That said, when the IRS actually goes to shut down an IRS scam site, the same site often hosts other phishing scams, including those for paypal and others.

He admitted that the efforts are only making a dent in the problem, especially with jurisdictional issues between Federal and local officials, and while tracking incidents and attackers that are outside of the United States.

"The bottom line is that the IRS never initiates contact via e-mail," Fried said. "We will respond to e-mail but we will never initiate it."