Byron Acohido, USA TODAY
SEATTLE - The deadline for filing taxes may expire today, but cybercriminals impersonating the IRS in e-mail scams crafted to steal your tax refund are just getting warmed up.
An estimated 95% of the e-mail moving across the Internet in the last three months -- and purporting to come from IRS.gov -- was fraudulent, according to results of an e-mail traffic survey supplied exclusively to USA TODAY by messaging security firm Agari.
"Like the sun rises in east and sets in the west, every year, come April, phishers who specialize in tax fraud come out to try to get you," Agari CEO Patrick Peterson says.
What's more, security experts warn that e-mail messages crafted to look like official IRS inquiries, but designed to steal personal information and reroute tax refunds to accounts controlled by organized theft rings, will continue at a high rate through May and June.
"They'll send e-mail confirming they've received your tax return and need more information," says Limor Kessem, cybercrime and online fraud specialist at RSA's anti-fraud command center in Tel Aviv, Israel. "That's an e-mail you should delete immediately."
Cybercriminals are versed in local, state and federal tax rules throughout the U.S. and in other nations. They'll use bogus forms to trick a victim into divulging logon credentials for tax authority and bank accounts. Or they'll entice the victim into clicking a malicious attachment or web link that turns control over to the attacker.
In short order, tax scammers can find out if a tax return has already been filed, note the refund amount and modify where the refund should be sent. Or if the opportunity arises, they will file a faked return and route the refund into their hands, says Kessem.
Part of the reason bogus IRS e-mail continues to swamp the Internet this time of year is because the agency has not yet adopted a year-old technical standard called DMARC, an acronym for Domain-based Message Authentication, Reporting & Conformance.
DMARC standardizes how major online companies, like Facebook and Netflix, prove the authenticity of legitimate e-mail sent to customers. Major Internet Service Providers Comcast and China's NetEase, as well as the major providers of free web mail -- Microsoft, Google, Yahoo and AOL -- all support DMARC.
Any phisher who tries to send a bogus Facebook or Netflix e-mail that uses the free e-mail services or ISPs supporting DMARC gets blocked. DMARC has been lobbying the IRS to adopt the standard.
"Companies and organizations need to take a proactive approach to protect their consumers from phishing by implementing the DMARC standard," says Peterson, who helped draft the standard. "Until then, these types of attacks will continue to occur."