Press Releases

Browse our press release archive

30 Nov 2005

Phishers send email posing as IRS tax refund

Link to legitimate government website bounces you into the hands of phishers

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned internet users of a phishing email which aims to steal from American taxpayers by posing as notification of a refund from the Internal Revenue Service (IRS). The phishers are taking advantage of a security configuration error on the real US Government website which is allowing phishers to redirect visitors to a bogus website.

The email invites taxpayers to visit a website to collect their refund

The email invites taxpayers to visit a website to collect their refund.

In an attempt to look more legitimate, the email tells users to cut-and-paste the link into their web browser rather than click directly on it. Although the link does use the genuine domain name of a real government website (, a mistake in the way the website has been set up bounces surfers to a bogus site run by the phishers.

The bogus benefits website asks for information from taxpayers.

The bogus benefits website asks for information from taxpayers.

"This phish tells you that the IRS owes you several hundred dollars, and offers you a web link from which you can allegedly claim your tax refund," said Graham Cluley, senior technology consultant at Sophos. "But the link in the email simply bounces you off a US Government website onto a site owned by the criminals, who are ready and waiting to steal your credit card details, Social Security Number and other personal information."

"This is more advanced than the typical phish, because the web link really does - at first - take you to the real tax benefit website. Unfortunately the way the government website has been configured allows the phishers to bounce the unwary in their direction instead. The phishers didn't need to hack into or compromise the government website to do this, the website has simply had this vulnerability on it all along," continued Cluley. "This is a salutory warning to every business and agency that runs a website to be very careful that it cannot be abused to bounce web surfers elsewhere."

Sophos reminds users to be wary of unsolicited emails, and has published information about how individuals can learn how to protect themselves against this and other online scams.

About Sophos

More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing complete security solutions that are simple to deploy, manage, and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, mobile and network security solutions backed by SophosLabs - a global network of threat intelligence centers.

Sophos is headquartered in Boston, US and Oxford, UK. More information is available at