IRS teams with phishing fighters to school public

Phishing is usually associated with email, but scammers have been known to redirect their prey offline before they close in for a kill. One way they do that is through retro tech like the good old fashioned fax.

Of course, lots of faxes today are just a step removed from email. Fax hosting services issue their users a phone number for receiving faxes. When the faxes are received by that number, they’re emailed to the user who views them on a computer.

One kind of fax scam that has been a favorite of phishers involves the U.S. Internal Revenue Service. The flim-flammers send an official looking fax to a potential guppie demanding information from him or her. Failure to comply, the target is warned, will result in dire consequences.

Uncle Sam’s phishing fighters in the tax agency’s Online Fraud Detection and Prevention (OFDP) group began chasing down fax scammers in 2009. In the last 18 months, the group has shut down some 250 phishing numbers. Before the group entered the picture, the phishing phone numbers used to remain active for months. Now most numbers are croaked within 12 hours, according to the Anti Phishing Work Group (APWG).

That group announced this week that it has been enlisted by the IRS to help combat fax phishing and has launched a new educational initiative, the APWG Fax Back Phishing Education Program, to educate consumers about protecting themselves from offline grifters.

          “The average losses of offline phishing scams ranges from a few thousand to tens of thousands of dollars–losses that victims don’t realize they have sustained until long after the crime is complete,” the group said in a statement. “The APWG’s Fax Back Phishing Education Program provides telecommunications companies and Fax over Internet Protocol (FoIP) hosting firms with educational instruments to educate consumers the moment they are scammed.”

As part of that program, the APWG developed a fax coversheet that carriers can use to alert their customers that they may have been the victim of a phishing scam. At the top of the sheet is the ominous message: “WARNING! The Fax Number You Dialed Connected to a Scam!”

          “You may have gotten this fax number directly via fax or from an email, text, or voicemail message,” the sheet explains. “No matter how real it seemed, it was a trick.”

“It’s called ‘phishing,’ because scammers fish for information about you or your financial accounts,” it continues. “Once scammers have it, they use it to commit identity theft or fraud.”

In addition to warning victims about phishing, the cover sheet provides useful links for obtaining additional information about phishing swindles and for reporting them to authorities like the Federal Trade Commission (FTC) and the International Consumer Protection and Enforcement Network. Both sites cited by the APWG feed information into a complaint database maintained by the FTC. That database has proven to be a valuable resource to law enforcement and regulatory agencies around the world in probing and disrupting phishing operations.

Soon into its existence, the OFDP reasoned that it would be a good idea to caution callers who were phoning numbers disabled by the agency. Those callers had been targeted by a phisher once. Given the way the Internet underworld shares information, those callers would no doubt be targeted again. In that eventuality, the OFDP wanted the callers to be aware of the peril they’d narrowly avoided because the agency had disconnected the scam line.

The first idea floated by the feds was a voice landing page. When a target called a disabled scam line, he or she would be redirected to that page and hear a message about the line being disconnected, the reason why and some additional information about phishing. That didn’t work too well. It required carrier cooperation, and the carriers weren’t too keen on integrating it into their systems. Another problem was that not everyone targeted by the cyber thieves spoke English so the voice message was just gibberish to them. In addition, many people use automated fax devices. Those devices are looking for a fax signal after making a connection. If they encounter a voice at the other end of the line, they’ll just disconnect the call after failing to find a fax machine there. Looking for a better solution, the OFDP contacted the APWG, which cooked up the fax cover sheet idea.

          “The APWG Internet Policy Committee commends the IRS for its role in protecting consumers against these fax-phishing scams,” Laura Mather, co-chair of APWG’s Internet Policy Committee, said in a statement. “The phishers continue to find compelling mechanisms for contacting consumers and having the IRS work with us to create a program for protecting people who have been contacted by this type of scam shows that the crime fighters cooperate as well as the criminals.”