Tax season may seem like it’s a long way off yet, but that hasn’t stopped Internet fraudsters from promising taxpayers a refund in a bid to steal their personal information, according to the Canada Revenue Agency (CRA).
The reward isn’t plentiful – $386 – but these con-artists hope it will be enough to entice Canadians to click on a link and volunteer personal information. A fraudulent e-mail designed to look like it comes from the CRA is typical of many phishing attacks.
But this attack appears to be particularly resilient. An initial wave of e-mails was sent out Oct. 14, and a second wave of e-mails was sent out Dec. 15, 2008. The origins of the first wave were traced to Japan, while the second batch came out of the U.S., says Caitlin Workman, media relations with the CRA.
“I don’t know that it has anything to do with tax time,” she says. “I’ve been hearing about this since November.”
The e-mail in question includes an embedded link to a phishing Web page designed to appear like the CRA’s official site. It uses the same colour scheme and logo, and even includes links to the real agency’s Web site.
The page presents a form asking the taxpayer to enter vital personal details including social insurance number, date of birth, full name, and the amount of money received on the last tax return.
But there’s a couple of telltale signs a watchful observer would recognize as a phishing Web page, according to Marc Fossi, manager of security technologies and response at Symantec Corp., a Cupertino, Calif.-based security vendor.
This phishing site has a couple of telltale errors
“If you look at the ‘Français’ link along the top bar, there is a Chinese character there instead of the properly formatted ç,” he says. “It’s also not a secure page. You don’t see the lock icon anywhere on the browser.”
Also, the Web page domain in the URL is not the CRA’s server, but a Taiwan-based address, he adds.
Phishing attacks – the attempt by fraudsters to skim personal information off of unsuspecting Internet users by presenting a legitimate façade – typically imitate financial companies, but sometimes pose as government agencies.
The attacks are commonplace. In the first quarter of 2008, 411 brands were hi-jacked by a total of 81,000 phishing Web sites, according to the Anti-Phishing Work Group. The cross-industry association says it functions as a global law enforcement agency focused on eliminating fraud and identity theft.
Symantec is a member, as are other Internet security vendors.
Identity theft was likely the motive behind the CRA attack, Fossi says.
“They could pose as you in contacting the CRA and try to have your information changed,” he says. “Or they could be selling the information so others could use it for identity theft.”
Symantec and other security vendors sell anti-phishing security products. But educating Web users about online safety is critical to stopping fraudsters.
“The warning about not sending out your information through e-mail has gone out for awhile,” he says.
CRA will only occasionally communicate via e-mail with taxpayers, and will never request personal information through e-mail, Workman says. When the agency does send an e-mail, it will notify the taxpayer to expect it via a telephone call or a letter.
Unsolicited e-mails that appear to come from the CRA should be deleted immediately, she says.
“If taxpayers have any doubt about correspondence when it comes to the CRA, they should contact us. As soon as we have information on any fraudulent communications schemes, we post it on our Web site.”
The CRA is no stranger to having its brand hijacked by fraudsters. Just last August, a mail scam targeting Canadians purporting to come from the CRA, asked for personal information from recipients.
Much like the e-mail scam, the letter claimed the taxpayer could receive an unclaimed refund if they updated their records. An attached form was sent with the letter, along with instructions to either e-mail or fax the information.
Phishing scammers are motivated by profit. They don’t fool a large percentage of people that their messages reach, but they send out hundreds of thousands of e-mails. Only a fraction need to respond to make the venture profitable.
There were 11,091 reported identity theft victims in Canada in 2008, according to Phonebusters. The resulting dollar loss reported from such scams was more than $9.5 million.
Phonebusters is the anti-fraud call centre of the Competition Bureau of Canada. Anyone receiving a fraudulent e-mail from the CRA is encouraged to call 1-888-495-8501.