By Paul F. Roberts
The U.S. Internal Revenue Service is warning taxpayers about a phishing scam that uses promises of tax refunds to steal sensitive financial information.
The IRS issued a statement Wednesday warning consumers of the scam e-mail messages, which appears to come from firstname.lastname@example.org and contains a link to a phishing Web site that collects Social Security and credit card information. But one anti-virus software company claims a flaw in a U.S. government Web site may be helping the scammers.
The phishing e-mail claims that the IRS owes the recipient several hundred dollars and provides a Web page link to a page from which they can allegedly claim the tax refund, according to a statement from Sophos PLC, a U.K.-based anti-virus software company. Researchers at Sophos first spotted the IRS messages on Monday, said Graham Cluley, senior technology consultant at Sophos.
The tax collection agency’s warning fails to mention that a page on another government Web site is used in the scam, he said.
The Web link points to a page on the govbenefits.gov Web site that bounces the user to the phishing site. The page was apparently designed to forward visitors to different parts of that Web site but doesn’t limit forwarding to pages in the .gov domain, said Cluley.