Posted by Lance Koonce

Yesterday, my accountant called me to let me know that my 2006 federal tax return was complete, and that I was getting a refund. He then confirmed that he would be filing the return electronically after we finished our call.

This morning, the following email showed up in my inbox:

From:              Internal Revenue Service [[email protected]]

To:                   Koonce, Lance

Subject:            IRS Notification - Tax refund

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $249.30
Please submit the tax refund request and allow us 3-6 days in order to
process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Regards,
Internal Revenue Service

© Copyright 2007, Internal Revenue Service U.S.A. All rights reserved.

Now, I knew my refund was not for $249.30, unless my accountant did some seriously bad math.  But the proximity of the email after the e-filing almost convinced me this was legit. 

Then I checked the URL for the “click here” link: 

http://www.[WEBSITENAMEWITHHELD].ie/catalog/images/banners/.Thumbs.db/.www.irs.gov/pas.php?certegy_vm=trueportlet_change_1_actionOverrideFchaseonlineFchangeFsigninDetails_windowLabel_portlet_signin_pageLabel_page_signin

Hmmm…that doesn’t really seem like an IRS server, does it? So, convinced that I was dealing with a phishing scam, I did a bit of online research and found multiple articles about this particular scam, including this recent report on the actual IRS site. Not surprisingly, this scam is not new, but it’s being recycled as the October 15th deadline approaches. 

The user who clicks on the link gets taken to a bogus site that asks for debit card info to process the return. In my case, the hyperlink was already broken – whatever bogus IRS web page appeared at that address has already been disabled. Sometime this occurs because the site is being hosted unwittingly on a third party’s site, and the party being hijacked in this way discovers what’s going on and disables the page – I suspect that may be what occurred here, which is why I withheld the actual underlying domain name above.

The real question is, was the serendipitous timing of this email that I received pure dumb luck, or was something else at work? If the latter, how would someone know my return had just been e-filed? 

I’m working with my accountant to determine if there might be a piece of malicious code running on their computers – perhaps a bug that was recently targeted at accountants in order to track e-filings and use that information. This would be very troubling, for a number of reasons.

Even more troubling is the possibility that there’s a breach on the IRS side of things, but I think that unlikely and I’d be jumping the gun to suggest that either scenario is possible. 

Still, it’s worth getting to the bottom of this, just in case the timing was intentional. Hopefully it was just my bad luck, but we’ll keep you posted. And in the meantime, remember: the IRS does not send emails asking for your personal information.

They already have it.

Updated 11:47am EST, 10/2/07:

Based on the number of reports we've been getting about this scam, it seems that in all likelihood my own experience was just the result of bad timing (or good, if you're the phisher).  But I suppose it's a good reminder that phishing scams are designed to work just this way: to prey on those who have a reason to believe or trust that the email is genuine. 

Updated 12;34 pm EST, 10/2/07:

I am embarrassed to say that I missed something else suggesting that this was a scam.  Thanks to Marshall Nelson for pointing out that the copyright notice on the page -- "© Copyright 2007, Internal Revenue Service U.S.A. All rights reserved. " -- is a huge tip-off, as works of the US government are not subject to copyright protection.