You will never be asked

for personal or financial

information through an IRS

email. Any communication

from the IRS will be through

the U.S. Postal Service.

May | June 2012 The Pennsylvania Lawyer 21

Cybercrime is theevil twin of cybercommunications.Electronic communi-cations have becomeas much a part of ourexistence as plastic

wrap or cartridge pens. But the ease ofcommunications and availability of infor-mation has a darker side when left to themachinations of cybercriminals intent onstealing financial information and youridentity.

Phishing is a play on the word “fishing.”In the process of phishing, criminals casttheir lines with enticing bait hoping tolure an unwitting guppy into biting on amalevolent attachment or link that willenable their financial crimes. The InternalRevenue Service is the bait in the latestround of phishing, with potentially disas-trous results.

Phishing is the cyber search for personalinformation under the guise of a seeming-ly legitimate inquiry designed to acquireinformation to enable further crimes ortheft through access to bank accounts andcredit cards. With information obtainedthrough phishing, criminals are capable ofidentity theft, using that information totake out bank loans, apply for benefits,

commit crimes or file fraudulent taxreturns. Phishing activities may damageyour computer by introducing viruses toyour hardware or by surreptitiously allow-ing password access by a remote thief.

Is This Communication for Real? The IRS never initiates contact with ataxpayer through email. The IRS wouldnever ask for or seek confirmation of yourtax ID number, PINs, bank accounts,passwords or any other financial informa-tion through electronic communications.In short, you will never be asked for per-sonal or financial information through anIRS email.

A message that appears to be from theIRS either promising you a refund orwarning of an investigation is almost cer-tainly phishing. Some contain a link to aform that purports to allow you to claima refund. Invitations to participate in anonline IRS-sponsored survey are alsophishing. Another scam reports that yourelectronic federal tax payment was reject-ed and directs you to a website for addi-tional information where malware will bedownloaded to infect your computer.Frequently the scam message contains alink to a fraudulent, imitation IRS web-site where personal information such as aSocial Security number is requested.

How to Avoid Becoming a Victim of Phishing Be aware that scammers often use fake IRS notices or requests as bait By Phyllis Horn Epstein

How to Avoid Becoming a Victim of Phishing

The Pennsylvania Lawyer May | June 201222

These fraudulent sites often bear the IRSlogo. They are deceptively close copies oflegitimate IRS Web pages. The IRS hasposted samples of phishing on its officialwebsite at www.IRS.gov. Websites or Webcommunications that end with “.com” or“.net” or “.org” are not the IRS. They arefraudulent imitations.

Some phishing emails may have incorrectgrammar or spelling because they origi-nate from outside the country. Reported-ly the U.S. Treasury’s inspector general fortax administration has identified phishingsources in more than 64 countries,including Argentina, Aruba, Australia,Austria, Canada, Chile, China, England,Germany, Indonesia, Italy, Japan, Korea,Malaysia, Mexico, Poland, Singapore andthe United States.

In reality the IRS will never call or writefor proprietary information in any form,even by fax. Scams can arrive by mail,telephone and fax with the same nefariouspurpose. In fact it is just the oppositebecause any communication from the IRSwill be through the U.S. Postal Serviceand will always include the name of the

author, an employee ID number, tele-phone and fax numbers and the appropri-ate Social Security number or employeridentification number of the taxpayer.

What to Do If You Suspect PhishingIf you are contacted by electronic meansfrom what appears to be the IRS, the IRSoffers the following advice:• Do not reply to the message.• Do not open any attachments.

Attachments may contain malicious codethat will infect your computer.• Do not click on any links. If you have

clicked on links in a suspicious email orphishing website and entered confidentialinformation, go to the IRS website andenter the search term “Identity Theft” formore information and resources to help.

You should also report any phishingattempts to the IRS. A suspicious emailshould be forwarded to phishing@irs.govand then deleted. If you encounter a website that you suspect is not legitimate,the IRS recommends that you send theURL to phishing@irs.gov with the words“Suspicious Website” in the subject line.The IRS has received more than 30,000messages concerning suspected phishingand uncovered nearly 2,000 phishingsites.

Suspicious letters, calls or faxes can bereported to the IRS at 800-829-1040where you can discover if there is a legiti-mate IRS inquiry under way. The IRSrecommends the following procedure fortelephone calls during which someonepurports to be from the IRS:• Ask for a call-back number and

employee badge number.• Contact the IRS to determine if the

caller is an IRS employee with a legiti-mate need to contact you.• If you determine that the caller is an

IRS employee with a legitimate need tocontact you, call the person back.• If the call, letter or fax turns out to be

a scam, the IRS recommends that youreport it to the U.S. Treasury’s inspectorgeneral for tax administration at 800-366-

Often the purpose of phishing

is to secure enough information

to enable the thief to file a

second tax return and steal the

tax refund that might otherwise

be due.

May | June 2012 The Pennsylvania Lawyer 23

4484 and fax the materials to (202) 927-7018.

If you receive an unsolicited email or faxregarding a stock purchase, the IRS rec-ommends the following.

If you are a U.S. citizen residing in theUnited States or abroad:• File a complaint form with the U.S.

Securities and Exchange Commission(SEC).• Forward email to phishing@irs.gov

with the word “Stock” in the subject line.• If you are a victim of monetary theft,

file a complaint with the Federal TradeCommission (FTC).

If you are not a U.S. citizen and resideoutside the United States:• File a complaint form with the SEC.• File a complaint with your securities

regulator.• Forward email to phishing@irs.gov

with the word “Stock” in the subject line.• If you are a victim of monetary theft,

file a complaint with www.econsumer.gov.

Another frequent scam is the delivery of afake form W-8BEN by email or fax. FormW-8BEN is the Certificate of ForeignStatus of Beneficial Owner for UnitedStates Tax Withholding and is completedby foreign nationals who must pay taxthrough withholding in the United States.Form W-8BEN is completed by the per-son’s employer and is never received byemail or fax. The fake documents solicitadditional information such as a mother’smaiden name, passport number, date ofbirth, PINs and pass codes — none ofwhich is required on a legitimate form W-8BEN. Some scams claim that thisinformation is needed to comply withanti-money-laundering regulations or to confirm tax exemption on earnings.Fake forms should be reported to the IRSat phishing@irs.gov. If fake forms arereceived by fax, include the word “Fax” in the subject line of your email report to the IRS.

A recent search for the word phishing on the IRS website, www.IRS.gov, produced 184 results.

A compilation of IRS publications and resources on suspicious email and identity theft isposted on the IRS website at www.irs.gov/newsroom/article/0,,id=155682,00.html.

The Pennsylvania Lawyer May | June 201224

What to Do If You Become a VictimBecause criminals act fast, you should actfast to limit the damage that might bedone. In addition to reporting all theftand scams to law enforcement, youshould take other immediate action.Because cybercriminals may use yourinformation to charge on your creditcards or open new cards in your name,you should get a copy of your creditreport from one of the major creditbureaus to check on activity. A free reportcan be ordered at www.annualcreditreport.com. Report any unauthorizedactivity to the credit bureaus and creditcard companies.

If you believe that you have unwittinglydisclosed personal information throughphishing or theft, secure your tax accountby reporting the incident to the IRS at800-908-4490 and complete and fileForm 14039, the IRS Identity TheftAffidavit. For identity theft, you shouldfile a complaint with the FTC atwww.ftc.gov.

Recently the IRS has devoted new energyto combating identity theft, creating anew IRS Identity Protection SpecializedUnit available at 800-908-4490. You cancall the unit to report concerns if you areat risk for identity theft or have not beenotherwise successful in your attempts toreport a theft. In 2011 the IRS issuedsome taxpayers an additional IP-PIN, orIdentity Protection Personal IdentificationNumber, for use when filing their taxreturns. In 2010 the IRS instituted a pilotprogram to prevent misuse of identifica-tion numbers of deceased taxpayers. TheIRS is also minimizing use of full SocialSecurity numbers for identification purposes. In May of 2007 the Office ofManagement and Budget issued memo-randum M-07-16, “Safeguarding Againstand Responding to the Breach ofPersonally Identifiable Information,”directing all federal agencies to take stepsto safeguard Social Security numbers. TheIRS is following this directive by reducingits use of full Social Security numbers onall communications, including forms andletters sent to taxpayers and others.

IRS Publication 4535, “IdentityTheft Prevention and Victim

Assistance,” is posted on the IRSwebsite at www.irs.gov/pub/irs-pdf/p4535.pdf.

The IRS has devoted new

energy to combating

identity theft, creating a

new IRS Identity Protection

Specialized Unit.

May | June 2012 The Pennsylvania Lawyer 25

The IRS tries to minimize errors and tax refund fraud through new screeningfilters used to spot false returns beforethey are even processed. Often the pur-pose of phishing is to secure enoughinformation from the taxpayer to enablethe thief to file a second tax return andsteal the tax refund that might otherwisebe due to the legitimate taxpayer. Youmay only learn of this when your returnis rejected or a notice is sent from the IRSletting you know that a tax return wasalready filed under your ID number. Youmay also learn of tax return fraud whenyou discover corrections to your returnwith income information that is clearlynot yours.

At this writing there are 27 states thathave separate criminal statutes that specifically address phishing, althoughPennsylvania is not among them. Thefederal government missed an opportuni-ty to make phishing a separate crime byfailing to enact the Anti-Phishing Act of2005, which would have imposed fines of up to $250,000 and prison terms of upto five years. Without a phishing statute,relief is only available for actual victims of cybercrimes.

You or someone you know may havebeen the target of cybercrime, eitherbecause of hackers who steal whole data-bases from merchants or through simplenegligence by the keepers of information.Some of us will recall nostalgically thetheft of credit card numbers from old car-bon paper copies on credit card receiptsbefore the day when carbon paper was

PBI PRESS. Over 52 titles. One choice.Since 1990, talented lawyer-authors and other highly respected professionals have been working with PBI Press to publish books in 16 major practice areas. Our signature collection offers:

� Expert commentary & practice tips

� Automatic updates of new editions & supplements

� Searchable CD-ROM with adaptable forms

� Professionally typeset, edited & indexed material

� Convenient online catalog shopping

Learn more about our 52+ titles at pbi.org.

WHY PBI

A suspicious email should be

forwarded to phishing@irs.gov

and then deleted. If you

encounter a website you

suspect is not legitimate, send

the URL to phishing@irs.gov.

The Pennsylvania Lawyer November | December 201126 The Pennsylvania Lawyer May | June 201226

eliminated and security digits placed onthe back of cards. Some have suffered themisappropriation of private informationby dishonest store merchants or vendors.

What Inquiries Are Legitimate? How can you determine what is a legiti-mate IRS inquiry and what is not? It isimportant to remember that the IRS willnever contact you by email or fax. Anyinquiries, notices, offers or surveys youreceive purporting to be from the IRSeither by email or fax are going to be partof a scam. The legitimate website for theIRS is www.IRS.gov. Any variation onthat identity is not a legitimate website.

The IRS will initiate contact with taxpay-ers by letter and may follow up with a callfrom an authorized agent who will berequired to give you his or her employeeidentification number. If you have anyconcern about the identity of the person,get his or her ID number and call back tothe IRS number below to confirm thatthe person is a reputable agent. If youhave any doubt or suspicion about a call,regular mail inquiry, fax or email, do nothesitate to confirm that the IRS isengaged in a legitimate inquiry by calling800-829-1040. F

Phyllis Horn Epsteinis PBA treasurer anda partner withEpstein, Shapiro &Epstein PC inPhiladelphia. You can contact her atphyllis@eselaw.com.

If you would like tocomment on this

article for publication in our next issue,please email us at editor@pabar.org.

IRS Publication 4524, “Security Awareness and Identity Theft,” is posted on the IRS website atwww.irs.gov/pub/irs-pdf/p4524.pdf.

IRS Publication 4523, “Beware of Phishing Scams,” is posted on the IRS website at www.irs.gov/pub/irs-pdf/p4523esp.pdf.

Phyllis HornEpstein

PBA Annual Meeting

May 9-11, 2012 Lancaster, Pa.Lancaster Marriott

at Penn Square

www.pabar.org