Awareness & Training

Beware Phishing via Fax IRS, Anti-Phishing Group Team up to Fight Fraud Trend
Imagine a small business owner receiving a fax, purportedly from the Internal Revenue Service, saying the business owes back taxes. Not wanting to tangle with the IRS, the owner fills out the appropriate financial information requested and faxes it back to the number provided.

Unfortunately, this individual has just fallen for a classic offline phishing attack -- "fax phishing."

Traditional phishing happens exclusively via the Internet with emails and attachments, but offline phishing involves sending direct faxes to consumers or businesses. A growing public threat, fax phishing is a reaction to improved spam filters, and a result of free IP fax services, says phishing researcher Markus Jakobsson.

"The IRS component though is an old one," Jakobbson says. "It seems to work. You do not mess with the IRS; you do what they say. And if they say you have a refund coming, everybody wants to believe that is so."

To help educate consumers and businesses about these offline attacks, the Anti Phishing Working Group has stepped in to create a new consumer fax education initiative in conjunction with the IRS.

The average loss incurred in offline phishing scams range from a few thousand to tens of thousands of dollars -- "Losses that victims don't realize they have sustained until long after the crime is complete," says Peter Cassidy, secretary general at the APWG. The new education program called "Fax Back Phishing" provides telecommunications companies and Fax over Internet Protocol (FoIP) hosting firms with links to educational sites to educate consumers and businesses the moment they are scammed.

The IRS's Online Fraud Detection and Prevention (OFDP) group, under the Office of Privacy Information Protection & Data Security, has been tracking and disabling offline phishing incidents since early 2009. The OFDP identifies fax numbers from complaints sent to its phishing alert address. Before OFDP became involved in offline phishing, these numbers would remain active for months, Cassidy says. Now the group works with telecommunications providers and is able to take down the majority of these fax numbers within 12 hours. This response greatly reduces the potential window of opportunity for phishers to harvest credentials. Approximately 250 numbers have been disabled in under 18 months.

The IRS turned to the APWG to help with the development of a response utility to advise consumers who've fallen victim to offline phishing scams. A fax coversheet with APWG's education resources site is now faxed to victims when the fax number is discovered. The FTC Sentinel, a consumer complaint database owned by the Federal Trade Commission, also gets the victim's information for further law enforcement investigation and takedown of other phishing operations.

The cooperation between the IRS and APWG is encouraging, says Laura Mather, Ph.D., co-chair of APWG's Internet Policy Committee. "The phishers continue to find compelling mechanisms for contacting consumers and having the IRS work with us to create a program for protecting people who have been contacted by this type of scam shows that the crime fighters cooperate as well as the criminals," she says.

A social engineering expert says people are all used to fax-based spam. "But phishing via this medium is a newer trend," says Rohyt Belani, CEO of Intrepidus, a social engineering training vendor. He says that the work required to respond by the recipient makes the traditional online phishing attack a much more dangerous threat.

Jakobsson agrees with Belani's view, adding, "In my view, it is an attack that is not going to have a huge impact: there simply is not a huge number of consumers who have faxes, so that leaves corporate fax numbers."

Jakobsson believes that SMS-based phishing, also known as smishing, or text phishing, "is going to grow much faster than fax-based."

Even so, education of consumers and businesses is key to beating the phishers, says Belani. "People need to be educated that their banks, the IRS, or anyone else will never ask them to provide sensitive/confidential information via electronic means."


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.





Around the Network