IRS Phishing Scams Focus on Refunds, Stimulus Payments

In May and June alone, taxpayers reported almost 700 separate phishing incidents to the IRS. In 2008 so far, taxpayers have reported about 1,600 phishing incidents to the agency.

Although most of these scams consist of e-mails requesting detailed personal information, the IRS:

• generally does not send e-mails to taxpayers,
• does not discuss tax account matters with taxpayers in e-mails, and
• does not request security-related personal information, such as PIN numbers, from taxpayers.  

The most common scams involve tax refunds and, this year, economic stimulus payments.

Refund e-Mail Scam

There are several variations of the refund scam, in which an e-mail claiming to come from the IRS falsely informs the recipient that he or she is eligible for a tax refund for a specific amount (see  IRS Refund E-mail Another Phishing Expedition ). The bogus e-mail instructs the recipient to click on a link to access a refund claim form. The form requests personal information that the scammers can use to access the e-mail recipient’s bank or credit card account.  

This notification is phony. The IRS does not send unsolicited e-mail about tax account matters to taxpayers.   Filing a tax return is the only way to apply for a tax refund; there is no separate application form (if you want to find out if you are due a refund from your last annual tax return filing, you can use the “Where’s My Refund?” interactive application on the IRS Web site at IRS.gov ( http://www.irs.gov/individuals/article/0,,id=96596,00.html).

Economic Stimulus Payments Scam

In this scam, a taxpayer receives an e-mail pretending to come from the IRS which tells the recipient he or she is eligible for an economic stimulus payment (see  No Action Required for Stimulus Payment: IRS ). The message recommends direct deposit into the taxpayer's checking or savings account, but to receive the payment, you are told to click on a link to complete and submit an online form by a certain date; otherwise, the e-mail warns, payment may be delayed. The form requests personal and financial data, including checking or savings account numbers that the scammers can use to gain access to the accounts.

In reality, the so-called economic stimulus payments are triggered by filing a tax return with the IRS, not a special form. Additionally, the IRS does not request personal or financial information via e-mail.   You can find information on how to obtain an economic stimulus payment in the aptly named Economic Stimulus Payment Information Center on the IRS Web site at http://www.irs.gov/newsroom/article/0,,id=177937,00.html

Substitute Form 1040 Fax Scam

This scam consists of a cover letter and form that are faxed, rather than e-mailed. The cover letter is addressed "Dear Valued Tax Payer (sic)" and appears to be signed by an IRS employee. The letter says that the IRS is updating its files and that recipients who supply the requested information will receive a nominal tax refund. It also states that those who fail to immediately return the completed form risk additional tax and withholding. The attached form is labeled a substitute Form 1040 and is titled "Certificate of Current Status of Beneficial Owner For United States Tax Recertification & Withholding." It requests a large amount of detailed personal and financial information, such as mother's maiden name (often used in security screening), bank account numbers, estimated assets and more. It asks the recipient to sign and fax back the completed form, as well as a copy of the recipient's driver's license and passport.

The letter, signature and form are all fraudulent. Moreover, the IRS does not send unsolicited faxes to taxpayers and does not request such detailed personal and financial information.   This is a variant of earlier scams. For more information, see news releases IR-2004-104 and IR-2004-75.  

Company Report Scam

This e-mail appears to come from an IRS.gov e-mail address, addresses recipients by name and references the company the recipient works for. These personalized details may convince the recipient that the e-mail is legitimate. The e-mail says that the IRS has a report on the company and asks the recipient to review a copy by clicking on a link to download the report. However, when the link is clicked, malware is downloaded to the recipient's computer.

There are various types of malware, which can hijack a victim's computer hard drive to give someone remote access to the computer, search for passwords and other information and send them to the scammer, or cause other types of identity theft or damage.

The IRS does not compile reports on companies or send e-mails to company staff asking them to review a report. Generally, the IRS does not send unsolicited e-mails to taxpayers.

Tax Court Scam

In this scam, an e-mail that appears to come from the U.S. Tax Court contains a petition involving a court case between the IRS and the recipient. The document instructs the recipient to download other files. The downloads transfer malware, or malicious code, to the recipient's computer.   As in the company report scam, there are various types of malware, which, for example, can hijack a victim's computer hard drive to give someone remote access to the computer, or can search for passwords and other information and send them to the scammer.

The truth is that the Tax Court is not e-mailing notices to anyone who currently has a case before the court. You can visit the court's Web site atfor more information. Recipients are advised to avoid clicking on any links in the e-mail and to delete the e-mail.

Anyone wishing to access the IRS Web site should type www.irs.gov , rather than clicking on a link in an e-mail or opening an attachment, either of which may download malicious code or send the recipient to a phony Web site.

If you have received a questionable e-mail claiming to come from the IRS, you can forward it to the following address: phishing@irs.gov .

You can find more information - and view samples of some of the fake emails - at http://www.irs.gov/privacy/article/0,,id=179820,00.html