Welcome to Orange Frog Productions Scams, Shams & Flim-Flams Section [Banner]

Search this site powered by FreeFind

Page Title:

Spoof/Phishing Scam  - 05/13/2008 -  (IRS - Economic Stimulus Refund)

Please be sure to read my Spoof/Phishing Scams Home Page

NOTE: All external links on this page open a new window.

Things I Did, Below

I, personally, receive email in HTML format. Since the email headers could be included, I did not "forward" the email to get the brief headers. The following was received (and looks) like I received it, with the following exceptions:

  • Any notes I added in the actual letter are in square brackets ("[" "]"), are bold, red in color, and highlighted. If what I found "behind the links" (email or website) are different than what was displayed, I will include them in this type of note.
  • Actual links in the email message have been changed to null (allowing them to still appear as links), have arrows pointing to them ("<=="), have been "named", and appear as one of "my notes" (bold, red in color, and highlighted). They are listed below the email example using the "names".
  • All spelling, spacing, line-wrapping, and punctuation errors are the ones that appeared in the original received email. (I may or may not analyze some or all of these.) This email started with the HTML from the email I received. Most of the HTML and the look is original to the email (making this page non-standard HTML 4.01!)

Scam Example

PLEASE NOTE: The IRS website states:

If you receive an unsolicited e-mail communication claiming to be from the IRS, please forward the original message to: phishing@irs.gov using the instructions provided below. You may not receive an individual response to your e-mail because of the volume of reports we receive each day.

  • The IRS does not initiate taxpayer communications through e-mail. In addition, the IRS does not request detailed personal information through e-mail or ask taxpayers for the PIN numbers, passwords or similar secret access information for their credit card, bank or other financial accounts.
  • Do not open any attachments to questionable e-mails, which may contain malicious code that will infect your computer. Please be advised that the IRS does not initiate contact with taxpayers via e-mails.

Source: IRS - What You Can Do to Report Phishing, E-mail Scams and Bogus IRS Web Sites New Window

For your own safety, if you receive ANY email that tells you you MUST click a link:

  1. Go directly to the site itself and find out
  2. If you have an account, log in
  3. If what the email says is true, there should be some type of notification at either the main page, or on your account's login page.

BE SURE TO CHECK OUT ANY EMAILS LIKE THIS YOU GET!

[Please note: This whole page will not validate HTML 4.01, though it says it will at the bottom. The reason is because I cut-and-pasted the HTML from the email. -wds]

Received 05/13/2008, 05:55PM

NOTE: This email came with a HIGH PRIORITY. The idea being that you would read it quickly.

----- Original Message -----
From: Internal Revenue Service [<== Behind the name: revenue @ irs.us.gov]
Sent: Tuesday, May 13, 2008 5:49 PM
Subject: IRS - Economic Stimulus Refund Program
 

Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.

Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.

The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.

Please follow the link and fill out the form and submit
before May 19th, 2008 to ensure that your refund will be
processed as soon as possible.

Submitting your form on May 19th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.

To access Economic Stimulus Refund, please click here. [<== Behind the words: http:// 211.119.242.70:84 /www. irs.gov/irfofgetstatus.htm]

 

NOTE: If you received this message in you SPAM/BULK folder, that
is because of the large amount of e-mails we are sending out
or because of the restrictions implemented by your ISP.

© Copyright 2008, Internal Revenue Service U.S.A. All rights reserved.

[NOTE: I left any names, email addresses, and phone numbers in here for the search engines to find. DO NOT TRY TO CONTACT THEM! I'm SURE you will be ripped off! -LE]

Email Headers

[DO NOT send email to any of the following email addresses]

X-Message-Delivery: Vj0zLjQuMDt1cz0wO2k9MDtsPTA7YT0w
X-Message-Status: s4:0
X-SID-PRA: Internal Revenue Service <revenue @ irs.us.gov>
X-Message-Info: /UPnKeip+Fy7H03MhtzLi182N3fnVDxbCzx [added space]
3KmDnE0Tgk69M8gtPGLB5SnTrAGmf85kHJ+TDnlhXpCrW2TJQ2A==
Received: from mail.bath.k12.va.us ([65.169.41.94]) by bay0-mc8-f12.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668);
Tue, 13 May 2008 14:55:10 -0700
Received: from User ([75.145.19.141]) by mail.bath.k12.va.us with Microsoft SMTPSVC(6.0.3790.3959);
Tue, 13 May 2008 17:55:09 -0400
From: "Internal Revenue Service" <revenue @ irs.us.gov>
Subject: IRS - Economic Stimulus Refund Program
Date: Tue, 13 May 2008 14:49:36 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
Return-Path: revenue @ irs.us.gov
Message-ID: <MAIL1KDBUeOVbgtgAtW00003a5f @ mail.bath.k12.va.us>
X-OriginalArrivalTime: 13 May 2008 21:55:09.0841 (UTC) FILETIME=[0355B010:01C8B544]

Notes

Links from email, above: (This information is from the SOURCE of the email.)

  • Links (behind the words):
    • Behind "Click here" was http:// 211.119.242.70:84 /www. irs.gov/irfofgetstatus.htm - NOTE: It is NOT the IRS website (the site you would go to is 211.119.242.70 on port 84. 211.119.242.70 is from Seoul, Korea, according to GeoBytes IP Address locator (Now WHY would the IRS send ANY email through Korea?)
  • Email Header Links:
    • Almost all links in the email headers are revenue @ irs.us.gov, which to me, means the headers were spoofed. Again, the IRS will NOT contact you by email.
    • According to GeoBytes.com's Spam Locator (cut-and-paste full email headers) reports that "We are unable to locate the IP address "98.220.45.90" at this time." - THIS is the address from which the email came. If they are unable to locate it, then it's most definitely spoofed.
  • Link Behind Image:
    • The IRS banner/logo is direct from the IRS site: http://www.irs.gov/irs/cda/common/images/irslogo.gif

As you can see, with a little checking BEFORE YOU CLICK A LINK OR REPLY (OR MAKE A PHONE CALL), you can find inconsistencies that can save you from a world of hurt! (and empty bank accounts!)

Send comments/questions about this page to Bill Sanders at:

Go to Scams - Spoof/Phishing Scams Home page
Go to Scams - Spoof/Phishing Scams Examples Links

| Home | Main | Owner | Scams, Shams & More Flim-Flams | Glossary | Sitemap | Contact |

Send email to Bill Sanders ()
with questions or comments about this page or site.

This site, all text and graphics (unless otherwise noted) on it
were designed, developed and published by Bill Sanders of Orange Frog Productions.
It and it's CSS was validated and complies with both the: CSS and HTML 4.01 validators from W3C.
NOTE: All CSS validates except the "New Window Buttons" which include some invalid code (ie: hacks),
added PicoSearch Tables, and warnings for using transparent backgrounds when color foregrounds defined.
Copyright © 2003, 2004, 2005, 2006, 2007 by Bill Sanders / Full site last modified: October 21, 2006
Any reproduction, printing, or selling of this content is prohibited without express written consent from William D. Sanders.
ctr