Scammers impersonate FTC, IRS

ASSOCIATED PRESS

The federal agency charged with protecting consumers from Internet scams now finds itself wrapped up in one.

Identity thieves have sent thousands of bogus e-mails purporting to be from the Federal Trade Commission — as well as the Internal Revenue Service and Justice Department — in an attempt to trick consumers into divulging personal financial information.

The agencies are the latest institutions to be exploited in “phishing” scams, long the bane of large banks and credit-card issuers.

Analysts who track online crime say that while financial institutions are still the most commonly hijacked brands, the use of federal agencies in the hoaxes is increasing and reflects criminals’ desire to take advantage of the familiarity and authority of various government departments.

Phishing typically involves sending fraudulent e-mails that include links that direct recipients to fake Web sites where they are asked to input sensitive data. Phishers also may include attachments that, when clicked, secretly install “spyware” that can capture personal information and send it to third parties over the Internet.

Criminal gangs in the United States and overseas use the information to steal thousands of dollars from consumers or to sell their identities in what analysts describe as a sophisticated underground economy surrounding identity theft.

The FTC said last month that corporate and banking executives, among other consumers, have received fake e-mails with spyware attachments purporting to be from the agency.

The Treasury Department, meanwhile, said June 27 that it had received more than 23,000 complaints about IRS-related phishing scams since an investigative arm of the department began tracking them in November 2005.

The scams have been “unprecedented both in terms of sophistication and the volume of reports we have received,” said J. Russell George, Treasury inspector general for tax administration.

Michelle Lamishaw, an IRS spokeswoman, said most of the hoax e-mails tell recipients they are under investigation or that they have a tax refund pending. Some are more sophisticated, including those targeted to small businesses that mention obscure agencies such as the California Franchise Tax Board.

Government officials said recipients of such e-mails should be suspicious of their origin for one simple reason: Federal agencies rarely communicate with citizens over e-mail.

Lois Greisman, associate director of the FTC’s division of marketing practices, said, “We are the agency that brought you the Do Not Call Registry and Can-Spam,” she said, referring to a 2003 law restricting commercial spam. “We’re not likely to send out unsolicited e-mails.”

Phishing surfaced early this decade and took off in 2003, said Peter Cassidy, a spokesman for the Anti-Phishing Working Group. The group is a consortium of corporations, banks, software providers and law-enforcement agencies whose members include EBay Inc., Microsoft Corp. and Yahoo Inc.

The scams are still growing rapidly: The number of phishing Web sites jumped to 37,438 in May, the group said in a report released July 8, more than triple the 11,976 reported in May 2006.

Phishing can carry significant economic costs for the victims and rewards for the perpetrators. Jeff Fox, technology editor at Consumer Reports, said that in September his group estimated consumers had lost $630 million to phishing scams in the previous two years.

A recent report from the Government Accountability Office, Congress’ investigative arm, put the figure at $1 billion annually.

Despite efforts to educate the public about the dangers of clicking on unknown links and attachments in spam e-mail, many computer users still do so.

Consumer Reports estimates that 8.2 percent of online households have submitted personal information in response to fraudulent e-mails in the past two years, Mr. Fox said. “It’s astounding.”