Overview of IRS Phishing Activity


Notice: Historical Content

This is an archival or historical document and may not reflect current law, policies or procedures.

Updated Dec. 4, 2007

February 2006

Since November, 2005, the Treasury Inspector General for Tax Administration (TIGTA) has received numerous complaints regarding “phishing” schemes which purport to be from the Internal Revenue Service (IRS) and solicit personal and financial information from American taxpayers. TIGTA determined that these complaints were associated with 12 separate phishing schemes traced to 11 separate countries.

"Phishing" has been defined “as a technique used to gain personal information for purposes of identity theft, using fraudulent e-mail messages that appear to come from legitimate businesses. These authentic-looking messages are designed to fool recipients into divulging personal data such as account numbers and passwords, credit card numbers and Social Security numbers,” according to Computerworld magazine. The term "phishing" arises from the use of increasingly sophisticated lures to “fish” for users.

The current phishing schemes that utilize the IRS as the bait begin by an email that is sent out using the same techniques employed by “spammers.” Hundreds of thousands of messages are sent to potential victims advising the e-mail recipients that they are under investigation by the IRS or that they have a refund pending from the IRS. The email then asks the intended victim to click on a link contained within the email to “access the IRS website.” The link is created to appear that it is authentic and government sponsored. The link connects the victim to a site that, from all outward appearances, appears to be legitimate, and then prompts the victim for personal identifiers, credit card numbers and credit card pin numbers. The phishing sites appear legitimate because most of the content is obtained from an actual page on the IRS website, which is then modified by the “phishers”.

TIGTA has been instrumental in working with the IRS Computer Security Incident Response Capability (CSIRC), the US Computer Emergency Readiness Team (US-CERT), and various Internet Service Providers and international CERT teams to have the phishing sites taken offline as soon as they are reported. To date, TIGTA investigations have identified 12 separate IRS phishing sites from the following 11 different countries: United States, Aruba, Italy, Austria, England, Canada, Germany, Mexico, Argentian, Korea and Singapore.

The IRS never sends out unsolicited emails, and under no circumstances, requests credit card information and pin numbers through email. Persons receiving emails that claim to be from the IRS should not attempt to visit any site contained within the email and should report suspicious emails to TIGTA or IRS.

Please notify the IRS of any phishing attempts by forwarding the suspicious e-mail to phishing@irs.gov. Materials forwarded to this mailbox will be examined and acted on by our information security staff.