Watch CBS News

Markets

New 'IRS' Phishing Scam: A Criminal Gang Is In Your Mailbox

By Jane Quinn

/ MoneyWatch

If an IRS warning suddenly pops up in your email, do not -- repeat, not -- click on the link. Trust me, the government isn't reaching out to help you. You're being phished, and not by a garden-variety spammer. You're hearing from Avalanche, the largest and one of the most sophisticated criminal gangs on the Web.

I got a string of those "urgent" IRS messages this week, claiming that I'd made a paperwork mistake when I paid my tax. The headings read, "LAST NOTICE: We decline your Federal tax payment," followed by an ID number. Or, "LAST NOTICE: The Identification Number used in the company identification field is not valid."

The first message gave me pause. Who among us doesn't hate to hear from the Internal Revenue Service? The email appeared to come from the Electronic Federal Tax Payment System (ETFPS), which is the website you use when paying your income taxes online. I thought for a couple of seconds. Could I have made a tax mistake?

Then good sense took over. The IRS does not get in touch with taxpayers by email. It sends you one of those mean-looking envelopes with a lot of black type in the upper left-hand corner. I wriggled off the phish-hook and hit Delete.

To anyone caught by this scam, the news is bad. International e-crooks have stepped up their game, says Greg Aaron, director of domain security at Aflias, an internet infrastructure company. You're at even greater risk than you thought.

A traditional phisher wants personal financial information. You might be told that a Federal Express package was misdirected or that there's a question about your bank account. If you click, you're sent to a second screen where you're asked to "update" or "validate" your current data -- your credit card number, Social Security number, or the number and password of your bank account. The second half of 2009 saw a record number of unique phishing attacks, reports Aaron, co-author of the Global Phishing Survey sponsored by the internet industry's Anti-Phishing Working Group. By now, all but the most careless of consumers have caught on and refuse to play.

Hence, the change in tactics. In place of traditional phishing, Avalanche and its copycats have seized on a dangerous piece of malware known as the Zeus banking Trojan. If you click on the link provided by the LAST NOTICE IRS email, you might be taken only to an innocuous information page. You'd read, delete, and move on to something else. During those few moments, however, the malware will zap itself into your machine.

You won't even know that you're harboring Zeus. But -- like the Dementors in the Harry Potter stories -- it's sucking out your computer's soul. It grabs the user names and passwords to the bank and mutual fund accounts that you manage online, and logs in to drain them dry. It sweeps up your address book, to spread itself to the computers of your contacts and friends. If you happen to be online with your bank when Zeus pops in, it will show you the real numbers while, in the background, it's pulling money out.

If Zeus gets lucky, it finds computers with links to the accounts of small businesses, school districts, municipalities, colleges, or other institutions and drains them, too. Avalanche is also creating shortened links, to scame you through Twitter, too.

Zeus has been around for a while, Aaron says. The basic package -- bought from criminal sites online -- costs a few thousand dollars, plus extra for add-ons. What's new is that Avalanche industrialized it, making it easy and fast to launch thousands of attacks, virtually all at once. The LAST NOTICE scam is the least of it.

The Anti-Phishing group has a single message for you. Don't let your fingers fly over your email messages. Stop and think before you connect to any link. For example: Don't open any business email that you're not expecting. If you have a question, call or email the business yourself. Don't call the number that the questionable email shows, it might misdirect you to the scammer's line. If you email the business, check the address and type it into the URL line yourself, don't copy-and-paste the address that the questionable notice shows.

Zeus gets into Twitter, too -- The group offers many more tips here.
On a personal note, I'd suggest that you ignore emailed birthday cards. Two years ago, I opened one that appeared to come from a good friend. Big mistake. My "good friend" started sending streams of porn. It took me more than a year to get the problem under control.

More on MoneyWatch:
Foreclosure Fraud: How You Can Be Driven to Default Even If You Pay On Time
Student Loans: It's Time to Reform the Laws That Treat Students Like Crooks
Beware New Home Equity Scam

First published on October 20, 2010 / 3:37 PM EDT

© 2010 CBS Interactive Inc. All Rights Reserved.

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.