If you filed your IRS (US Internal Revenue Service) income tax forms through someone else, and that list gets into the hands of phishers, do you think you could detect it?
A lot of people fall for this. Hard. Gizmodo reports:
A lot of people are falling for them: A study of 150,000 phishing emails by Verizon partners found that 23 percent of recipients open phishing messages, and 11 percent open attachments. Is that not crazy? One in 10 people opens an attachment when they have no idea what they’re opening.
And it happens fast: It takes an average of 82 seconds from the time a phishing campaign is launched, until the first sucker bites. And this isn’t just phishing in people’s Gmail accounts. It’s happening on sensitive business and government accounts where the targets should theoretically know better.
Another article in Wired is reporting:
Typically, it takes months if not years to uncover a breach. In 2012, for example, FireEye reported that the average cyber-espionage attack continued unabated for 458 days before the victim discovered the hack.
[More after the break.]
I have received numerous phishing emails. So far, I have recognized them because I knew the people I am dealing with and when something outlandish comes up, I call 'em. However, these days, who knows anybody at these big, monolithic, and automated tax-collection centers, and who wants to take the risk that an ignored IRS email is indeed fake?
I have been holding out as long as I can against having anything to do with the government on the internet. I flat out do not trust the internet when it comes to email. Any of us can tell if it's some casual friend chitchat, but when mail arrives looking like it's from your bank and money is involved, it gets noticed. With the the advent of things like Electronic Funds Transfer, things can happen behind our back, and we ignore the email at our peril....
Many of us here know just how easy it is to make an extremely legitimate looking business email. It would really bother me to receive demands from compliance from some entity purporting to represent the IRS via email, with no way for me to know for sure it's bogus without taking the bait.
How many of you filed your IRS returns electronically? How do you protect yourself from phishing attacks?
(Score: 5, Insightful) by arashi no garou on Thursday April 16 2015, @01:04PM
If I file my taxes with X tax preparation house and I get an email that looks like it's from X, I will ignore the email, type their website's address into my browser, and log in from there to verify the information. I do the same when I get emails that appear to be from my bank, especially since many banks these days use a third party mailing list service that doesn't trace back to the bank itself.
You can never be too sure with any email message, even if the headers seem to check out.
(Score: 2) by dyingtolive on Thursday April 16 2015, @05:19PM
You mean my email isn't the website? They're both on the server.
Don't blame me, I voted for moose wang!
(Score: 2) by arashi no garou on Thursday April 16 2015, @11:13PM
notsureifserious.jpg
(Score: 2) by dyingtolive on Friday April 17 2015, @04:03AM
Not serious, but pretending to be most people over 40. Your solution is both effective and obvious (to people who 'get' it), but try explaining it to anyone who doesn't understand what the internet is.
Don't blame me, I voted for moose wang!
(Score: 2) by arashi no garou on Friday April 17 2015, @11:44AM
You might want to move the threshold up a decade or so. Keep in mind most forty-somethings came upon computers (mostly Apple IIs and Amigas) in high school and college. It's the fifty-somethings and up who are still (as a group) technologically challenged.
To put it another way, I'll be 38 this year and I've had a computer of some sort since I was five years old. TI-99/4a was my first, followed by a CoCo 2 and Apple //c, all before I was in high school.
(Score: 2) by wonkey_monkey on Thursday April 16 2015, @01:04PM
[More after the break.]
There wouldn't have been a break if you hadn't written "[More after the break.]"
systemd is Roko's Basilisk
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @01:48PM
Agreed, if you have to do it then just do this:
More...
We're not stupid. "Click here" "Click Image for larger image" "Link to site"
We like the old slashcode but not the old AOL internet ways.
(Score: 1) by Urlax on Friday April 17 2015, @06:21PM
coming from my rss reader, the summary was indeed in 2 parts. the first part was in the feed, both parts in the summary. nice system if you ask me.
(Score: 3, Interesting) by kaszz on Thursday April 16 2015, @01:15PM
The problem is there's no authentication of important emails. For starters one can assign every contact a unique email address. To know where the contact came from. Another action that can be taken is to read emails on secure systems.
But the most important is that the message itself is authenticated with something like PGP sign etc. As long as this isn't in place. Security can't be had. Because the source is sloppy and can't be distinguished.
(Score: 3, Insightful) by Thexalon on Thursday April 16 2015, @01:30PM
No, the problem is that there's no authentication of nearly all email, but many people act like it's a secure communication method when it isn't. If there were authentication, most spam would never have happened, and most phishing attacks would have been impossible.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 3, Interesting) by kaszz on Thursday April 16 2015, @01:36PM
One could at least require that the IRS sign their emails..
(Score: 1) by kadal on Thursday April 16 2015, @02:00PM
That is a great suggestion. Except that it requires that the government get it's ass together...
(Score: 2) by kaszz on Thursday April 16 2015, @02:54PM
We can't have that happening, can we? :D
Just imagine an email inbox where emails that has the proper digital signature (like S/MIME?) would be marked by the email client as such and thus enable users skip the noise and to read the important stuff right away.
(Which would require a central 2000 GFlops mainframe at the headquarters in 24 carat gold with lots of important people in black cars and of course a salary bonus to match ;-) )
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @04:01PM
Especially not when so many elected officials have a vested interest in proving their party line, that the government can't do anything right.
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @08:15PM
FYI, it appears that you squished together 2 memes:
- get its shit together
- get its ass in gear
You should pick one and go with that.
(Colloquial English can be confusing.)
...and a pronoun never needs an apostrophe to make it possessive.
-- gewg_
(Score: 2) by kaszz on Friday April 17 2015, @10:02AM
Thanks for the heads up on spelling.
(Score: 2) by Thexalon on Thursday April 16 2015, @03:05PM
That is necessary, but insufficient: Because the vast majority of emails are unsigned, citizens will expect that emails from the IRS will be unsigned (just like the ones from their bank, their utilities providers, other government agencies, and everybody they interact with at work), so they will presume that the unsigned phishing email purporting to be from the IRS is legitimate.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2) by kaszz on Thursday April 16 2015, @03:22PM
So citizens has to get used to that from some time in the future Emails will come in the signed form?
It's not like other shit hasn't succeeded like HTML or UTF8..
(Score: 4, Informative) by DeathMonkey on Thursday April 16 2015, @05:49PM
One could at least require that the IRS sign their emails..
Seriously, who actually communicates with the IRS via email?
IRS phishing info [irs.gov]
The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.
I'm honestly confused about the actual issue is here. Organizations like the IRS already don't communicate via email in general.
(Score: 2) by TheRaven on Thursday April 16 2015, @02:29PM
sudo mod me up
(Score: 2) by kaszz on Thursday April 16 2015, @02:45PM
Makes one really wonder how come that is so............
(Score: 2) by frojack on Thursday April 16 2015, @05:07PM
S/MIME is supported by most mail clients and can tell you the certificate chain. I've not yet seen a single bank that signs the email that they send.
But that is entirely useless. Certificate chains? Really? Who has time to chase those? Who even knows how?
How many of the chains lead to forged certificates, or certs with subtle spelling differences three levels deep that you are sure to miss, but which will pass automated checks?
The only solution is to NOT give any branch of government your email address. Make them use paper.
People can get conned by paper too. But its better than sending your 1040 to some 419 scammer.
No, you are mistaken. I've always had this sig.
(Score: 2) by demonlapin on Thursday April 16 2015, @02:33PM
(Score: 4, Informative) by scruffybeard on Thursday April 16 2015, @03:13PM
AFAIK the IRS only sends snail-mail when there is a problem with your tax filings. This happened to me about 2 years ago. A minor error on my e-filing generated a response from the IRS via the mail.
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @08:20PM
Either that or a couple of Federal Marshals busting in your door.
(Score: 1, Informative) by Anonymous Coward on Thursday April 16 2015, @08:08PM
You should be able to do all of this stuff via Free(dom) Software provided gratis by the gov't and that should run on any of the common platforms.
The fact that you can only do all of it via proprietary closed-source software which runs under a limited number of OSes is a result of politicians allowing themselves to be bought by Intuit.
I have never given any money to this company and never plan to.
...and the day that Intuit started writing their anti-piracy crap to folks' boot sectors was the day I actively started advising others to avoid Intuit.
Intuit is evil.
-- gewg_
(Score: 3, Interesting) by GungnirSniper on Thursday April 16 2015, @03:00PM
I tried doing my own taxes this year and used the IRS FreeFile site. It doesn't have a business logic check until after you submit. Twenty to thirty minutes later you get an email saying if it worked or not. Here's some of the post-mortem emailed errors, the links aren't clickable:
So I fixed that by deleting a line item, and retried:
And again after playing wack-a-mole:
So while it's pretty cool they have this stuff online, it's also wonky. The help information is still in PDF form so you can't reference specifics in a single window.
I make just a little too much money to qualify for the free software downloads, so it was this FreeFile site or paper forms.
From the Massachusetts site, which worked better:
Tips for better submissions to help our site grow. [soylentnews.org]
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @08:28PM
Of course it's wonky. It's designed that way. That's what you get when teams of bureaucrats (both government and corporate) work with no oversight and with the explicit purpose to separate the underclasses from their money.
(Score: 2) by el_oscuro on Friday April 17 2015, @12:55AM
So you are getting the actual XML errors? The IRS might as well post their DBA passwords on the front page of their website.
SoylentNews is Bacon! [nueskes.com]
(Score: 1) by anubi on Friday April 17 2015, @01:58AM
Your experience is exactly why I try to avoid "high tech" transactions. I got the same type of gibberish trying to sign up for healthcare.
Just a whole bunch of pages that did not work. Dead links or required technology my browser does not have, or crap that would not make it through the corporate firewall.
I gave up and paid the $95 "responsibility fee".
Isn't there some way I can hold the ones forcing us to read and agree to all this stuff accountable as well?
You don't know how bad I would like to shanghai those congresscritters that voted this thing into existence and have them show me how to run it.
This runaway lawmaking to me is the prime reason we have to have a *major* housecleaning in Congress... and that means not voting for either of the ones the "party" puts up. We have to find one of our own to support, not one of "theirs". These party guys tell us they will "fight for us", but those words coming from a politician, and just about as solid as those styrofoam hats they wear when the red, white, and blue bunting is displayed every election cycle. We have 99% of the vote and its high time we stop voting the way the 1%'ers tell us to vote.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 0) by Anonymous Coward on Thursday April 16 2015, @04:55PM
All of your tax information goes directly into the computers of the company you use to e-file, and they then reformat it and submit it to the IRS.
This means you have to trust their security (which I do not).
However, if I print paper forms, and mail them in an envelope, the company computers for the e-file folks do not have any record of anything.
Yes, the IRS computers are probably also insecure, but the only way around that one ends up with one getting "Willie Nelsoned" after a length of time.
(Score: 1, Informative) by Anonymous Coward on Thursday April 16 2015, @07:35PM
Tennessee has state income tax on investment income over $1000, but no taxes on wages. This year they fine you if you don't file electronically. Since most people don't have to file at all, they've been able to get away with it without enough people getting pissed off.
On the flip-side, they've made themselves a particularly juicy target since only rich people will be in the database. It won't help for the current most popular form of fraud - where the scammer files a fake return for you and collects your refund since most rich people will owe tax rather than qualify for a refund. But, it is still a database of people who are worth targeting for other forms of fraud.
(Score: 1) by nitehawk214 on Thursday April 16 2015, @09:28PM
I don't care if it came from my best friend's verified gmail account, there is no damn way I am going to be opening an executable attachment from anyone in an email.
How hard is it to get that through people's heads.
Also, do these stats take into account email virus scanners opening attachments?
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 1) by Kymation on Thursday April 16 2015, @11:54PM
From: office@irs.gov
-------------------------------------------------------------------
Dear taxpayer,
You are receiving this notification because your tax refund request has been processed.
Please find attached a copy of the approved 1040A form you have submitted, containing your personal information and signature.
On the last page, you can also find the wire transfer confirmation from the bank.
Transaction type : Tax Refund
Payment method : Wire transfer
Amount : $8683
Status : Processed
Form : 1040A
Additional information regarding tax refunds can be found on our website: http://www.irs.gov/Refunds. [irs.gov]
Please note that IRS will never ask you to disclose personal or payment information in an email.
Regards,
Internal Revenue Service
Address: 1111 Constitution Avenue, NW Washington, DC 20224
Website: http://www.irs.gov [irs.gov]
Phone: 1-800-829-1040
-------------------------------------------------------------------
And a nice attachment in .doc format. Full of nice macros. Yeah, I'm not that stupid.
I do wish that I was getting that refund though.
(Score: 1, Informative) by Anonymous Coward on Friday April 17 2015, @12:47AM
Should have forwarded that file to virustotal: https://www.virustotal.com/en/documentation/email-submissions/ [virustotal.com] At a minimum, I'd found it interesting how many spotted it and it would help spread immunity to more people.
(Score: 1) by Kymation on Friday April 17 2015, @02:07AM
Here's the result (with a bunch of "found nothing" scrubbed out)
------------------------------------------------------------------
Complete scanning result of "confimation_3098-2344342.doc", processed in VirusTotal at 04/17/2015 03:32:51 (CET)
[ file data ]
* name..: confimation_3098-2344342.doc
* size..: 46080
* md5...: ad5cc5269322f4eac92f229e9a7afb27
* sha1..: 1b2ab5ffa51943e1ea700dc6d0937cd2784824fc
[ scan result ]
Ad-Aware 12.0.163.0/20150417 found W97M.Downloader.LH
BitDefender 7.2/20150417 found W97M.Downloader.LH
Comodo 21794/20150417 found TrojWare.W97M.Agent.~AA
ESET-NOD32 11487/20150417 found VBA/TrojanDownloader.Agent.OK
Emsisoft 3.0.0.600/20150417 found W97M.Downloader.LH (B)
F-Secure 11.0.19100.45/20150416 found W97M.Downloader.LH
GData 25/20150417 found W97M.Downloader.LH
Kaspersky 15.0.1.10/20150417 found Trojan-Downloader.MSWord.Agent.it
MicroWorld-eScan 12.0.250.0/20150416 found W97M.Downloader.LH
Sophos 4.98.0/20150417 found Troj/DocDl-LS
TrendMicro 9.740.0.1012/20150417 found W2KM_BARTALEX.UK
TrendMicro-HouseCall 9.700.0.1001/20150417 found W2KM_BARTALEX.UK
------------------------------------------------------------------
As I suspected, it's an MS Word macro designed to download something nastier. I doubt that I could get it to work in Libre Office, and even if I could, the payload would have some problems with infecting Linux.
Still not going to try the experiment.
(Score: 1) by anubi on Sunday April 19 2015, @02:24AM
Yeh... sure is risky opening attachments in Email.
I am surprised businesses haven't gone after Microsoft big-time for sloppy file processing, the way a restaurant would go after someone sending them dirty produce.
A business looks so sloppy these days if they include attachments to their business communication.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]