“Underreported Income” message is really a cover for phishing and/or virus-installing IRS scam: Internet Scambusters #359
A new IRS scam is being hailed as the world’s biggest
spam-based phishing and virus attack currently underway.
Claiming that victims have failed to report all their income,
it tries to con them into either disclosing personal
information or installing a virus onto their PCs.
We have more on this in this week’s Snippets issue, along with
information on two other potential identity theft attacks –
one that affects parents wishing to volunteer at their kids’
Before we get started, we suggest you visit last week’s most
popular articles from our other websites:
Shop Now and Get the Cheapest Airfare for the Holidays: Don’t wait
until the last minute to snap up those href="http://www.consumersavvytips.org/shop_now_and_get_the_cheapest_airfare_for_the_holidays.html"
target="_blank">cheap holiday airfare deals the airlines make to
fill the planes.
Why You Need to Compare Credit Cards: There is no better time to
target="_blank">compare credit cards and make a move than now.
Educational Gifts from the Best Mom Ever:
target="_blank">Fantastic educational gifts for kids that are
guaranteed to give your children a literal scream.
Where to Go For The Best Online Coupons: Get the scoop on the many
sites that feature href="http://www.consumertipsreports.org/top_five_online_coupon_sites.html"
target="_blank">online coupons, letting you know where the best
deals can be had.
Time to get going…
Major IRS Scam Exploits Unpaid Tax Fears
It may not be tax season right now, but for crooks it’s always
tax scam season — and the latest IRS scam has been labeled the
most prominent spam-delivered virus in the world during late
summer and fall.
In this Snippets issue of Scambusters, we take a close-up look
at this IRS email scam which has turned up on millions of PCs.
We also spotlight two potential identity theft threats — one
the revival of a bank failure phishing scam, the other a
worrisome experience encountered by a member of the
Scambusters team who was asked to put confidential personal
information into the hands of her child.
But first, that IRS scam…
Bogus “Notice of Underreported Income”
Messages purporting to come from the IRS have been dropping
into millions of email inboxes in recent months, with the
ominous subject heading “Notice of Underreported Income.”
This phony IRS spam is said to account for 10% of all email
spam sent out during those months.
In one version, the message asks you to click on a link that
takes you to a bogus IRS page where you’re asked to provide
your Social Security number and credit card information,
supposedly to make an additional tax payment.
In other words, it is simply an IRS phishing scam.
In other cases, the message contains an attachment you’re
supposed to click to install a tax statement viewer.
In reality, clicking the attachment installs a virus called
the Zeus Trojan, which enables the scammers to hack bank
Researchers say this Trojan — said to be missed by most
anti-virus software — has been draining more than a million
dollars a day from victims’ accounts.
We’ve said it before and we’ll say it again — the IRS never
makes unsolicited contact by email. And when they do use email
to respond to a message you sent them, they never ask for
If you receive this IRS scam message, simply ignore it and
delete it. If you’re still worried that it might be genuine
(though we assure you it isn’t), contact the IRS by phone.
Just don’t click on that link! And if you already did, contact
your bank and the police straightaway.
The Busted Bank Scam
Even though we might be past the worst of the recession, banks
are still going bust. And scammers are still using that fact
as a ruse to hoodwink unsuspecting victims.
When a bank fails, you should still be able to withdraw your
money for up to 30 days after the collapse. If not, provided
it’s covered by the FDIC (Federal Deposit Insurance
Corporation) as most are, you’ll get a check from the
government to cover the money you had on deposit, currently up
Using this as a lever, scammers send out messages to customers
of failed banks, pretending to be messages from the FDIC,
warning that their ATM cards have been disabled and/or their
Then — guess what — victims are asked to provide birth date,
Social Security number, mother’s maiden name and other
personal information. It all adds up to a nasty phishing scam.
As with the IRS case above, the FDIC never asks for
information in this way — so never give it. If you’re on the
receiving end of a bank collapse and you’re unsure what is
happening to your money, contact the bank or the FDIC
Visit the FDIC
site for more information.
Should You Entrust a Child With Personal Information?
Would you trust an elementary school child with all of your
personal information? That’s the dilemma Scambusters team
member Andrea recently faced.
A note from her children’s school district asked her to
provide all sorts of information, including Social Security
and driver’s license numbers, for background checks that were
being performed on all school volunteers and chaperones.
We agree it’s a good idea to do the check. But a fail grade
for the way they wanted to do it: the kids were supposed to
carry this precious information to school themselves in their
backpacks — with a check (containing more personal info) to
pay for the verification.
And then, Andrea wondered, if the information did safely
complete its journey, who else would have access to it and how
would it be stored?
Discovering that many parents were planning to comply without
weighing the risks, Andrea raised her concerns with the school
board who decided to shred all of the forms that had been
turned in and simply request the name, telephone number, and
email of volunteers/chaperones.
These were then to be passed to a background checking company
so they could send the volunteer/chaperones a SECURE link to
log in and provide additional private information.
Subsequently, the school would only be told if individuals had
passed or failed the check; no other details would be provided.
With more and more schools rightly requiring background checks
on their volunteers, perhaps you might find yourself in a
similar situation. If so, we recommend you ask the following
How much of my personal information will you require?
Who, and how many people, will have access to my personal
Where will the information be stored and how will it be
What is the file retention policy and, when you’re done with
it, how will it be disposed of?
What information will be gathered in the background checks
(e.g., criminal and driving history, civil issues, credit history)?
Who will see the results of the background check?
And, finally, what constitutes a pass or fail result?
And if, like Andrea, you have concerns about the approach
adopted for this activity, or about the answers to the
questions we’ve outlined, voice them immediately.
The IRS scam and the other stories in this Snippets issue
illustrate perfectly the broad range of identity theft risks
each one of us may face.
In fact, a researcher reported back in 2000 that by using only
a zip code, date of birth and gender, 87% of Americans can be
uniquely identified. It’s that easy.
So, what can you do? Be careful who you release your personal
information to. And always ask about the privacy and data
retention policies of those who have your personal information.
That’s a wrap for this issue. Wishing you a great week!