For those of you that don’t know, phishing is the activity of defrauding an online account holder of financial information by posing as a legitimate company. Last year, I almost fell for a phishing attempt by someone claiming to be an IRS employee.
I’ve held a variety of roles in Information Security and you’d think I would try to hide the fact that I almost fell for a phone-based scam. However, I think my story can help others so I’ve decided to share it on my blog. Also, it’s not like I’m the only IT Security professional to almost fall for a phishing attempt. Chris Hadnagy literally wrote the book on Social Engineering/Phishing and has been tricked by a an Amazon phish.
At the time I first was contacted by a fake IRS employee, I was in the middle of a legitimate dispute with the IRS over a tuition deduction from a few years prior. I working from home and randomly received a call from a number in Cincinnati from someone claiming to be an IRS employee. I knew that the IRS had an office in Cincinnati and despite the fact that all of my prior correspondence related to my aforementioned dispute had been written, I didn’t think it was out of the realm of possibility that someone from the IRS would call me.
The “employee” began the call by stating that I was going to be taken to court over unpaid taxes. The caller gave me a case number and knew enough about the inner workings of the IRS to sound legitimate. It didn’t make any sense to me why I would suddenly be taken to court when my last document submission was mailed several months before the stated deadline. This should have been my first clue that the call was not legitimate. Unfortunately, due to the fact I was actually worried about my legitimate issue with the IRS, my guard was down.
I was obviously distraught at this point. If my dispute went to court, I would possibly spend more on legal fees and accountants than I actually owed to the IRS. Even though I knew I did nothing wrong, the idea of a settlement went through my head while the caller discussed the issues. However, I wanted to make sure that my accountant was involved in the final decision.
The “employee” let me know that I could avoid court and the associated fees by simply settling over the phone. It was if they could read my mind. I let them know that I wanted to consult my accountant and a few family members with deeper knowledge of tax law before making a final decision. The caller started to get very impatient at this point.
I started to get more of a sense that this call was fake. I eventually asked the “employee” to provide me with a publicly posted phone number for their office. I wanted to call a validated phone number to confirm that I was speaking with an actual IRS employee. I felt that this was a completely reasonable request.
The scammer became enraged, they told me that if I hung up the phone that they would issue an arrest warrant. They demanded that I drive straight to the bank while leaving them on speaker phone. They wanted me to wire them money to a specific account. I was now 100% confident that I was being phished.
If this ever happens to you, this is the point where you should just hang up and report the incident. However, I decided to have a little fun. I decided to keep the scammer on the phone for around 30 minutes while I “drove” to the bank to wire them the money. In reality, I was just sitting at my desk listening to music and catching up on email. I asked them for the account number and routing number so I could “wire” them the money. Armed with that information, I placed the scammer on hold and called the Ohio Attorney General’s office. I filled out a form to inform the IRS as well.
After providing the Ohio Attorney General’s Office and IRS with the details, I hung up on the scammer. They called me back about a dozen times in rapid succession before moving on to their next attempted victim. I’m now almost certain this fraud attempt originated from India where dozens of people were arrested for operating entire call centers filled with fake IRS agents. A few weeks later, I received a letter from the IRS stating that my dispute had been resolved based on the documentation that I provided and I no longer owed any money.
- The IRS has an entire webpage devoted to validating communications received by their employees. The page also has information for reporting phishing attempts.
- The IRS will never…
- Call to demand immediate payment, nor will they call about taxes owed without first having mailed a bill.
- Demand that you pay taxes without giving you the opportunity to question or appeal the amount they say you owe.
- Require you to use a specific payment method for your taxes, such as a prepaid debit card.
- Ask for credit or debit card numbers over the phone.
- Threaten to bring in local police or other law-enforcement groups to have you arrested for not paying.