November 30, 2005
A security flaw on a US government website has been exploited by a phishing scam claiming to be an IRS refund notification. The phishing email claims the recipient is eligible for a tax refund of $571.94. The email then tries to gain credibility by instructing recipients to copy/paste the url rather than clicking it. That's because the link actually does point to a page on a legitimate government website, http://www.govbenefits.gov. The problem is, the page being targeted on that site allows the phishers to 'bounce' the user to another site altogether.
The email used in the orginal IRS tax refund phishing scam can be viewed in the Phishing Scams Walkthrough. The subject line of the scam reads : [IRS] Tax Refund. The text of the email claims "You are eligible to recieve a tax refund for $571.94" and instructs the recipient to access the link provided in the email. The IRS tax refund phishing scam email also reads, "12 days left to apply for your refund. You may not receive your refund as quickly as you expected. A refund can be delayed for a variety of reasons. For example, a name and Social Security number listed on the tax return may not match the IRS records. You may have failed to electronically sign the return or applied after the deadline." The email then claims, "This email has been sent by the Internal Revenue Service, a bureau of the Department of the Treasury.
While at first glance the IRS tax refund phishing scam may seem clever, it shouldn't fool savvy users. First, the IRS doesn't use email to correspond with tax payers regarding refunds. Second, the redirect (?url=) can be plainly seen in the link. And third, any link received in email that has obfuscating characters should be viewed with suspicion.
Both the targeted page and the redirected site have since been removed but the security flaw itself reportedly still exists. This means that while the original IRS tax refund phishing scam may no longer function, similar scams could soon follow.
If you receive an email from any source that leads to a site requesting personal or financial information, stop and think. Contact the company in question (i.e. your bank, the IRS, eBay, or whomever the pretend sender is) by conventional means (phone, letter, personal visit) and verify that the information in the email is indeed valid. Chances are, it is not.
