Top 5 online 2011 tax scams

In the run-up to the 2011 tax deadline, online scammers are out in force with new tax-related tricks

You may not want to think about your taxes until Tax Day on April 15, but online scammers are already plotting to separate you from your tax refund and your identity. Scams for the 2011 tax season include promises of tax credits for charitable donations to disaster relief in Japan, malware-laden Websites optimized for search engines, dangerous e-mail, and so-called 'likejacking' techniques found on the social network Facebook.

About 19 million people have already filed their taxes at home in 2011, an increase of almost six per cent from the year previous, according to the Internal Revenue Service. Consequently, this time of year is ripe for tax-related online scams. Crooks know that taxpayers are looking for information on deductions and tax laws. They know that this is the time of year when taxpayers submit personal information online and store sensitive financial documents on their hard drives.

Jennifer Torode, a spokesperson for the security firm Sophos, says that most of us wait until the last minute to file our tax forms. Scammers know this and "take advantage over the next few weeks to find ways to lure frantic filers into their webs," she says.

Here are five tips to help you avoid getting ensnared by tax scammers this tax season.

1. Japan Quake Scam

Among the newest scams for 2011 are bogus e-mail messages promising a tax credit applicable to your 2010 tax return if you make a charitable donation to Japan earthquake relief, according to McAfee consultant and identity theft expert Robert Siciliano. "The scam is based on the ruse being similar to a real law passed last year regarding Haiti," Siciliano said. In January 2010, Congress passed the Haiti Assistance Income Tax Incentive Act that allowed taxpayers to contribute to Haiti relief from January 11 to March 1, 2010 and claim it on their 2009 tax return. So far, the government has not established any retroactive tax rules involving this year's relief effort for Japan.

Tip: You can find many earthquake relief scams online; however, it's not clear how prevalent this particular scam is. For more information on how to make tax-deductible donations safely and effectively, consult this notice on

2. Gone Phishing

One of the most popular ways to scam people during tax season is to set up Websites that look as if they are an official IRS site or a legitimate tax preparation service. "We have seen some scammers pretending to be tax preparation services, abusing brand names such as TurboTax, to obtain people's personal details," said Richard Wang, manager for Sophos Labs.

Other sites are designed to trick you into downloading a PDF file laden with malware, according to Jeff Horne, director of threat research for the security company Webroot. Horne also warns that sites may try to sneak malware onto your machine using a technique called a "drive-by download." Such sites contain code looking for exploits in your browser that will enable them to download malware onto your system without your knowledge. Merely by using a vulnerable browser to visit a site, you can be victimized with bad guys wielding this technique.

Once tax-related malware is loaded on your machine, it can set up a keylogger to track everything you type into your computer, or it can search your saved documents for keywords related to tax season such as "social security" or "1040."

Tip: The best defense against drive-by downloads is to make sure that you always use the latest version of a modern Web browser, such as Google Chrome or Mozilla Firefox.

3. Black Hat SEO

One of the tricks that crooks use to lure victims into a scam is to optimize their sites for Google searches, a technique known as "black hat SEO" (the acronym stands for "search engine optimization"). Horne suspects that these sites use resources such as Google Trends and Google Insights to discover the types of tax-related searches people are requesting. Once criminals have figured out some of the more popular keywords for this year's tax searches it's not difficult for them to optimize their bogus sites for search engines.

Tip: "Never use search engines to search for tax documents," Horne said. Instead, go directly to the government site (such as,, or an individual state government site ending in '.gov') to look for tax forms and other tax information.

4. Likejacking

Facebook and other social networking sites are major targets for online scammers looking to make a quick buck off tax season. Horne says that Webroot has seen some examples of 'likejacking' in which scammers try to trick you into 'liking' their scam site on Facebook. Achieving this objective may involve hiding a Facebook "Like" button under another button on a third-party Website or exploiting a weakness in your browser by using a few snippets of JavaScript to press the Like button for you.

Once you "like" the site, an external link will show up in your Facebook news feed with a scam message such as, "I just got $500 by using this free tax preparation service." Friends who see that message may be tempted to click the link leading them to a phishing site or a spam site looking to increase its ad revenue by generating Web traffic.Note, however, that some legitimate tax preparation services are promoted on Facebook by institutions such as universities as well by individual friends.

Tip: Don't choose a tax preparation service on the basis of Facebook message attributed to a friend. At the very least, talk to the friend directly to confirm that he or she endorses the service.

5. Phony E-Mail

Despite a high degree of public awareness about the dangers of spam e-mail, online scammers find this method profitable enough to keep using it. One trick to watch out for is a message supposedly from the IRS asking you to download a tax form.Another is an attempt to lure you to a phony Website to claim a refund. Once you're at the site, you may fall victim to a drive-by download or the site may ask you to divulge your social security number in order to see details of your supposed refund.

Tip: The IRS will never send you an e-mail message with a request for your personal information or with tax forms attached.

Protect Yourself Tips

With so many scams going around, it's difficult to know how to keep yourself safe online. However, Horne identifies six steps that you can take to thwart the bad guys:

1. Before you do your taxes, make sure that your antivirus software is up-to-date. That way, your program will be on the lookout for the latest known threats.

2. Be careful about which browser you use when dealing with tax-related information online. Make sure that you are using the most recent version of your browser so that you have the latest security patches. Using Mozilla's Firefox running the popular add-on NoScript to defend against drive-by downloads is a good idea. And if you are among the three per cent of online Americans still using Internet Explorer 6, dump it for the latest version of IE available for your operating system--or use a different popular browser such as Chrome or Firefox.

3. Never use a search engine to look for government documents. Instead, go directly to sites such as,, or individual state government sites ending in .gov, and search for forms there.

4. Never open or download attachments included with messages claiming to be from the IRS. The wisest course may be to refrain from opening any unsolicited tax-related e-mail message, as some poisoned messages use HTML to exploit weaknesses in your browser and initiate a drive-by download.

5. Never do your taxes over an unencrypted wireless connection such as free Wi-Fi at Starbucks. At home, even if you use the latest wireless security encryption standards such as WPA2 there, you are better off breaking out the LAN cable and using a wired connection when dealing with sensitive financial information.

6. Once you're finished filing your taxes for this year, make sure that you move all of your tax-related files for safe keeping to a USB key, an external hard drive, or some other form of removable storage. Then wipe all tax files off your computer's hard drive. Tax-related malware may lurk online long after tax season is over, according to Horne. If you happen to get infected, and you've stored your tax forms in a special folder on your PC, it won't take much for a scammer to steal your identity.

IRS Advice

The IRS also has a lot of helpful information to help keep you safe from phishing and other e-mail scams. The IRS emphasizes that it never asks taxpayers for their passwords, PINs, or other secret data relating to bank accounts and credit cards. Furthermore, never initiates taxpayer communication through e-mail. If you receive a dubious e-mail message claiming to be from the IRS, you can report it by forwarding the message without altering it to For more online tax security tips, check out the IRS's page on how to protect your personal information.

Connect with Ian Paul ( @ianpaul ) and Today@PCWorld on Twitter for the latest tech news and analysis.

Join the CSO newsletter!

Error: Please check your email address.

Tags sophosonline securityscams and hoaxestax sitessecurityfinancial & tax softwareFacebook

More about etworkFacebookGoogleInternal Revenue ServiceIRSIRSLANMcAfee AustraliaMozillaSophosStarbucksWangWebroot

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ian Paul

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place