Unfortunately, this individual has just fallen for a classic offline phishing attack -- "fax phishing."
Traditional phishing happens exclusively via the Internet with emails and attachments, but offline phishing involves sending direct faxes to consumers or businesses. A growing public threat, fax phishing is a reaction to improved spam filters, and a result of free IP fax services, says phishing researcher Markus Jakobsson.
"The IRS component though is an old one," Jakobbson says. "It seems to work. You do not mess with the IRS; you do what they say. And if they say you have a refund coming, everybody wants to believe that is so."
To help educate consumers and businesses about these offline attacks, the Anti Phishing Working Group has stepped in to create a new consumer fax education initiative in conjunction with the IRS.
The average loss incurred in offline phishing scams range from a few thousand to tens of thousands of dollars -- "Losses that victims don't realize they have sustained until long after the crime is complete," says Peter Cassidy, secretary general at the APWG. The new education program called "Fax Back Phishing" provides telecommunications companies and Fax over Internet Protocol (FoIP) hosting firms with links to educational sites to educate consumers and businesses the moment they are scammed.
The IRS's Online Fraud Detection and Prevention (OFDP) group, under the Office of Privacy Information Protection & Data Security, has been tracking and disabling offline phishing incidents since early 2009. The OFDP identifies fax numbers from complaints sent to its phishing alert address. Before OFDP became involved in offline phishing, these numbers would remain active for months, Cassidy says. Now the group works with telecommunications providers and is able to take down the majority of these fax numbers within 12 hours. This response greatly reduces the potential window of opportunity for phishers to harvest credentials. Approximately 250 numbers have been disabled in under 18 months.
The IRS turned to the APWG to help with the development of a response utility to advise consumers who've fallen victim to offline phishing scams. A fax coversheet with APWG's education resources site is now faxed to victims when the fax number is discovered. The FTC Sentinel, a consumer complaint database owned by the Federal Trade Commission, also gets the victim's information for further law enforcement investigation and takedown of other phishing operations.
The cooperation between the IRS and APWG is encouraging, says Laura Mather, Ph.D., co-chair of APWG's Internet Policy Committee. "The phishers continue to find compelling mechanisms for contacting consumers and having the IRS work with us to create a program for protecting people who have been contacted by this type of scam shows that the crime fighters cooperate as well as the criminals," she says.
A social engineering expert says people are all used to fax-based spam. "But phishing via this medium is a newer trend," says Rohyt Belani, CEO of Intrepidus, a social engineering training vendor. He says that the work required to respond by the recipient makes the traditional online phishing attack a much more dangerous threat.
Jakobsson agrees with Belani's view, adding, "In my view, it is an attack that is not going to have a huge impact: there simply is not a huge number of consumers who have faxes, so that leaves corporate fax numbers."
Jakobsson believes that SMS-based phishing, also known as smishing, or text phishing, "is going to grow much faster than fax-based."
Even so, education of consumers and businesses is key to beating the phishers, says Belani. "People need to be educated that their banks, the IRS, or anyone else will never ask them to provide sensitive/confidential information via electronic means."