Major IRS Scam Exploits Unpaid Tax Fears

“Underreported Income” message is really a cover for phishing and/or virus-installing IRS scam: Internet Scambusters #359

A new IRS scam is being hailed as the world’s biggest spam-based phishing and virus attack currently underway.

Claiming that victims have failed to report all their income, it tries to con them into either disclosing personal information or installing a virus onto their PCs.

We have more on this in this week’s Snippets issue, along with information on two other potential identity theft attacks — one that affects parents wishing to volunteer at their kids’ schools.

Time to get going…

Major IRS Scam Exploits Unpaid Tax Fears

It may not be tax season right now, but for crooks it’s always tax scam season — and the latest IRS scam has been labeled the most prominent spam-delivered virus in the world during late summer and fall.

In this Snippets issue of Scambusters, we take a close-up look at this IRS email scam which has turned up on millions of PCs.

We also spotlight two potential identity theft threats — one the revival of a bank failure phishing scam, the other a worrisome experience encountered by a member of the Scambusters team who was asked to put confidential personal information into the hands of her child.

But first, that IRS scam…

Bogus “Notice of Underreported Income”

Messages purporting to come from the IRS have been dropping into millions of email inboxes in recent months, with the ominous subject heading “Notice of Underreported Income.”

This phony IRS spam is said to account for 10% of all email spam sent out during those months.

In one version, the message asks you to click on a link that takes you to a bogus IRS page where you’re asked to provide your Social Security number and credit card information, supposedly to make an additional tax payment.

In other words, it is simply an IRS phishing scam.

In other cases, the message contains an attachment you’re supposed to click to install a tax statement viewer.

In reality, clicking the attachment installs a virus called the Zeus Trojan, which enables the scammers to hack bank accounts.

Researchers say this Trojan — said to be missed by most anti-virus software — has been draining more than a million dollars a day from victims’ accounts.

We’ve said it before and we’ll say it again — the IRS never makes unsolicited contact by email. And when they do use email to respond to a message you sent them, they never ask for personal information.

If you receive this IRS scam message, simply ignore it and delete it. If you’re still worried that it might be genuine (though we assure you it isn’t), contact the IRS by phone.

Just don’t click on that link! And if you already did, contact your bank and the police straightaway.

The Busted Bank Scam

Even though we might be past the worst of the recession, banks are still going bust. And scammers are still using that fact as a ruse to hoodwink unsuspecting victims.

When a bank fails, you should still be able to withdraw your money for up to 30 days after the collapse. If not, provided it’s covered by the FDIC (Federal Deposit Insurance Corporation) as most are, you’ll get a check from the government to cover the money you had on deposit, currently up to $250,000.

Using this as a lever, scammers send out messages to customers of failed banks, pretending to be messages from the FDIC, warning that their ATM cards have been disabled and/or their accounts frozen.

Then — guess what — victims are asked to provide birth date, Social Security number, mother’s maiden name and other personal information. It all adds up to a nasty phishing scam.

As with the IRS case above, the FDIC never asks for information in this way — so never give it. If you’re on the receiving end of a bank collapse and you’re unsure what is happening to your money, contact the bank or the FDIC directly.

Visit the FDIC site for more information.

Should You Entrust a Child With Personal Information?

Would you trust an elementary school child with all of your personal information? That’s the dilemma Scambusters team member Andrea recently faced.

A note from her children’s school district asked her to provide all sorts of information, including Social Security and driver’s license numbers, for background checks that were being performed on all school volunteers and chaperones.

We agree it’s a good idea to do the check. But a fail grade for the way they wanted to do it: the kids were supposed to carry this precious information to school themselves in their backpacks — with a check (containing more personal info) to pay for the verification.

And then, Andrea wondered, if the information did safely complete its journey, who else would have access to it and how would it be stored?

Discovering that many parents were planning to comply without weighing the risks, Andrea raised her concerns with the school board who decided to shred all of the forms that had been turned in and simply request the name, telephone number, and email of volunteers/chaperones.

These were then to be passed to a background checking company so they could send the volunteer/chaperones a SECURE link to log in and provide additional private information. Subsequently, the school would only be told if individuals had passed or failed the check; no other details would be provided.

With more and more schools rightly requiring background checks on their volunteers, perhaps you might find yourself in a similar situation. If so, we recommend you ask the following questions:

  • How much of my personal information will you require?
  • Who, and how many people, will have access to my personal information?
  • Where will the information be stored and how will it be protected?
  • What is the file retention policy and, when you’re done with it, how will it be disposed of?
  • What information will be gathered in the background checks (e.g., criminal and driving history, civil issues, credit history)?
  • Who will see the results of the background check?
  • And, finally, what constitutes a pass or fail result?

And if, like Andrea, you have concerns about the approach adopted for this activity, or about the answers to the questions we’ve outlined, voice them immediately.

The IRS scam and the other stories in this Snippets issue illustrate perfectly the broad range of identity theft risks each one of us may face.

In fact, a researcher reported back in 2000 that by using only a zip code, date of birth and gender, 87% of Americans can be uniquely identified. It’s that easy.

So, what can you do? Be careful who you release your personal information to. And always ask about the privacy and data retention policies of those who have your personal information.

For more help, visit the Scambusters Identity Theft Center. And stay safe!

That’s a wrap for this issue. Wishing you a great week!