Phishing, Taxes, The US Treasury and You
It's that time of the year, folks -- a swarm of emails have been coming out from spoofed addresses, claiming to be from the customer service section of Electronic Federal Tax Payment System (eftps.gov).
NOTE: The IRS never sends emails to taxpayers. Pass that tidbit on, and help take a bite out of cybercrime...
It starts off with the following:
From: EFTPS Tax Payment [mailto:email@example.com]
Sent: today, this month, real recent time
Subject: Your Federal Tax Payment has been rejected. Report ID: xxxxxxxx (some numbers, sometimes sequential if from the same spammer/phisher/cyber-criminal/needle-dicked bugfvcker)
Your Federal Tax Payment ID: 012345678 has been rejected.
Return Reason Code R21 - The identification number used in the Company Identification Field is not valid.
Please, check the information and refer to Code R21 to get details about your company payment in transaction contacts section: http://eftps.gov/R21
In other way forward information to your accountant adviser.
EFTPS: The Electronic Federal Tax Payment System
PLEASE NOTE: Your tax payment is due regardless of EFTPS online
availability. In case of an emergency, you can always make your tax payment by calling the EFTPS.
What changes, slightly, is the subject (sometimes the message has "URGENT" at the start of the subject, sometimes not), the content (sometimes the line "In other way forward information to your accountant adviser" is present, sometimes not). The URL "eftps.gov/R21" is not the actual URL that the message redirects you to -- that's just the URL label. The actual URL differs, usually directing people to a server in Russia through a variant of the domain name "eftpsxxxxx.com" where the "xxxx" is a series of numbers. A traceroute on the various URLs comes back with different domain hosts / admin information, but the email headers from any message you receive usually include an ip address (and sometimes a source node) for where the message may actually be from -- or at least one of the potential zombie machines it was sent from.
Should you receive any such emails (I've received about 12 so far over the past few days), there's a quick and easy way to report them to the IRS (see below). In general, any time you receive a suspicious email claiming to be from the Treasury or US government, you can go to the US Treasury's website for contact information about how to report the phishing attempt, or -- if you've been a victim of a cybercrime, particularly if you've lost money or property -- you can go straight to the IC3 site and file a complaint (or 2, or 3 -- or 12 -- as the case may be).
For this particular email scam and for cases specifically involving the IRS and tax scams, go to the IRS page for more information. The IRS is already aware of this particular scam, but you should still report it and provide the details of the email source to help their cybercrime investigators track the perpetrators. Usually, a great and simple method to do this as well as report these types of fraud involves the following:
- View and copy the full header information of the email,
- Forward the email message to firstname.lastname@example.org, with a copy of the full header information pasted within
Whatever you do, do not click on the links of any suspicious emails, even those purporting to be from the IRS or US Government, unless you can be sure that the link goes to where it says it is going.
More information is available about this at the IRS site on fraud/phishing/abuse (same IRS link as provided a few sentences ago).
Be careful out there, and remain ever-vigilant for those cyber-criminals who'll try to steal you blind almost as fast as the Bush/Cheney Administration and their Republican Congressional majority gutted the national treasury and destabilized our entire economy and infrastructure.