Warning: Serious Scam Involving IRS (W8 BEN)

There is a serious scam involving IRS (Internal Revenue Service, USA) which can fool even the most web-savvy people. Please read below for details on how you can protect yourself from this email which appears to genuinely come from IRS, inquiring about your tax exemption status.

I received an email today which states:

Our record indicates that you are a non-resident alien. As a result, you are exempted from United States of
America (USA) Tax reporting and withholdings on interest paid into your account and other financial
dealing. To protect your exemption from tax on your account and other financial benefit, you need to
recertify your exempt status. Therefore, you are to authenticate the following by completing form W-
8BEN, and return to us as soon as possible through the fax number: +1 -206-202-0110

If you are a USA Citizen and Resident Alien, this form W-8BEN is not meant for you, please indicate
“USA Citizen/Resident” on the form and return it to us. We shall then send you a form W9095.

When completing form W-8BEN, please follow the steps below.
We need you to provide your permanent address if different from the current mailing address on your

Form W-8BEN you must indicate if a non-USA resident, your country of origin to support your non-
resident status (if your bank account or other financial dealing has a USA address for mailing purpose).

If any joint account holder is now USA resident or Citizen, or in any way subject to USA tax reporting
laws, Please check the box in this section.

Please have all account holder(s) sign and date the form separately and fax it to the above-mentioned fax
number.

We wrote to you in April 2009 asking for this identification but have not received any reply. Please,
complete Form W-8BEN ‘attached” and return to us within 2 (two) weeks from the receipt of this letter
by faxing it, to enable us update your records immediately. If your account or any other financial benefits
are not rectified in a timely manner, it will be subjected to USA tax reporting and back up withholding (if
back up withholding applies, we are required by Law to withhold 30% of the interest paid to you).
We appreciate your cooperation in helping us protect your exempt status and also update our records.

The email looked genuine at first because:

• It didn’t direct me to a website to fill-out a form or authenticate myself
• The email address appeared to be from IRS at first glance (detailed investigation found it to be fraudulent)
• The information was provided in pdf documents which is relatively immune to viruses

However on detailed investigation I found it to be yet another phishing scam, an innovative one I must admit. So what gave it away?

How to identify such phishing attempts?

Instead of talking about generic ways to protect yourself from phishing scams, I will detail how I found out that this was a phishing attempt.

Identify origin of email

The email originated from:
Received: from User ([174.141.9.35]) by backoffice.mcerrillos.cl with Microsoft SMTPSVC(6.0.3790.3959);

First of all IRS would never route their email through a Chilean site (mcerrillos.cl is owned by Municipalidad de Cerrillos). They aren’t that cheap. IRS surely owns their own email server when even small companies like us can own them. In fact IRS mail server is located at IRS.gov

Note: I got the information about the site from whois records.

The email was originally received from the following IP address: 174.141.9.35
This IP address can be faked, so having a valid IP address is no guarantee that the email originated from a proper location. However the email is definitely scam when this IP address doesn’t belong to the organization the email is claiming to come from.

In this case the IP address is owned by nuvox.com (used nslookup to find out), provider of web based business applications for communication which leverages Google applications like GMail etc. Again IRS will never send email from such setup. The address isn’t owned by IRS.

How to contact?

The most innovative aspect of this scam is that it doesn’t ask you to go to a fake website or send an email, both of which can easily be reported and taken down, but asks you to FAX the information instead.

The fax number is +1-206-202-0110

A reverse phone lookup at whitepages.com indicated that it is an unlisted Seattle address. Why would IRS unlist their FAX address?
Secondly I never worked in Seattle nor earned anything there. IRS does have an office in Seattle (Phone: 1-206-220-6015) but surely there is not reason why it would contact a person who never stayed there nor earned anything there and that too from an unlisted address.

In light of these evidences, I could conclusively determine that this was a fraud / scam. I hope the fax number is traced by government officials to shutdown this scam asap.

What is the standard operating procedure of the organization?

IRS is never known to communicate by email. It uses snail-mail.

What is phishing?

I have used the word phishing repeatedly without explaining it. In not so simple terms (will simplify later), phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, bank account details, credit card details etc. by masquerading as a trustworthy entity in an electronic communication, mostly by email or instant message. Communications appearing to be from popular social web sites, government authorities like IRS  as was in this case, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public in handing out their sensitive information.

It often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. In this case however they have innovated and directing you to fax the information instead, making it look even more legitimate.