Phishing Emails

[Patrick Michael]

Received two emails this morning that looked legitimate (not the usual grammar and spelling errors) asking if I was taking on new clients and offering to email me last years returns.  Give away was the "Reply" email address did not match the "From" address and was really weird,( .jp instead of the usual  .com or .org). 

I know most of you are very careful with these type of emails and just wanted to let everyone know that the bad guys are getting much better at making the emails look legit.

[Lee B]

One downside to AI is it's helped the scammers to look more polished.

The IRS has been sending out notices that the amount of phishing directed toward practitioners is at an all time high!

 

[NECPA in NEBRASKA]

Most of the phishing emails that I get go to my old, old email account that I never use for work or the one on my website that forwards them to another email not known to the public. They have become more sophisticated lately, but every one has a really strange email address. It really helps that I have only taken referrals for years. It's a scary world anymore.

[mcbreck]

My wife works for the med school / hospital of a major University and the tech group sends out phishing emails to all employees as a way to test if they are opening them and clicking the link. You can get a reward if you forward the email to tech to notify receiving it. All managers get notified if an employee gets caught. Compared to the phishing emails I get, they are sometimes VERY elaborate. Like NE, the email address is usually the easy sign, supposedly they've fixed that problem.

[BulldogTom]

There is one that I get regularly that comes from an email that is .corn instead of .com.   Pretty sneaky.   I think that extension allows them to use legitimate company names.   The email address will be [email protected] or something similar.   You gotta be vigilant on email.

Tom
Longview TX 

[Medlin Software, Dennis]

One method, for the best safety, is to "wash" your incoming message through something like mailwasher.  Another is to always open messages in plain text mode, so no links can be selected, and no one pixel images can be used to track your opening of the message.  The issue is really too large for one person to handle their own filtering, yet the filters are so bad, wanted messages get trapped.  Catch-22.  For me, I have my mail server scan attachments for obvious issues, and I will setup blocks for repeated offenders, but for the most part, I let all through, filter locally, but I still have to review all messages in case one gets caught incorrectly, and I don't open anything in an email unless I asked for something.  Good old Safe Hex.

Deeper, the "managed" email providers are terrible at filtering.  Why?  Because they filter for their own reasons first (to save money), and they do not filter "for" you at all.  I get messages every single day from customers who say they did not get their receipt (although some are a farce as we also send it via SMS when they provide it).  There are still a few providers who use the block everything, unless the sender fills out a form.  The absolute worst are the "cloud" filters, as they will often not even allow you to see the blocked messages (I am talking about Loyal Order of Moose, which ran into this a year or two ago, and could not get anything from me, even though I never send spam, and I do not send from shared IP addresses.)

[GLJEANNE]

I always find offering last years returns is the first give away, actual potential clients never mention that in a first email.  Also, the scammers frequently pretend to be some big corporate CEOs, cause yeah, that's who'd be contacting us.
Today in addition to the 2-3 like that, I got one telling me "Thomas" shared tax files with me via Dropbox.  But it didn't come from Dropbox, which I'm guessing a legit notification would.  Don't know, I don't use Dropbox.  Guess "Thomas" is just out of luck.

[Slippery Pencil]

What I don't understand is a couple emails I've received with no attachments or links.  The emails tend to ask if I'm taking new clients and make one or two bland statements about their tax situation.  The email address usually seems off, e.g. the last one was @automaticmailnotification.com.  I reply and the email bounces back as undeliverable.  What can be the possible scam?

[Medlin Software, Dennis]

To see if the address they sent to is real (no bounce) and most importantly, to troll for a reply/unsubscribe. The reply gives certain information to identify you, which is gold/platinum for hackers.

For instance, if you reply from a cell, and are not properly masking certain things, the recipient of your message/reply can geolocate you fairly well, and in some cases, within a few meters. If you reply from your desk, the same place you have data someone might want to get at, unless you do certain things, you can certainly be geolocated reasonably accurately, and more importantly, the route to your computer is decipherable.

I will not go deeper here, but this is stuff any script kiddie knows or can look up, let alone the "professional" hacker entities.

Like the security company who posts their head's SSN as proof of their protection, with proper security, it is not a big deal if someone knows your IP. BTW, long gone are the days when an ISP would actually change your IP often. It is easier for them, less support and all, to essentially give you a static IP, which only changes on certain rare events.

Even the bounce you received is likely a fake, as they don't want you to know they "got" you until they see what they can sell the information for, or until they get what they can.

[Slippery Pencil]

There is no unsubscribe option or any links in the original email.  The bounce back comes from googlemail.com as I'm using a gmail address.  It looks similar to other undeliverable mail messages from google and identical to other "Address not found" bounce backs from google.  It appears my reply never gets lands anywhere outside of the google system.

from:Mail Delivery Subsystem <[email protected]>
to:[email protected]
date:Jan 30, 2024, 6:48 PM
subject:Delivery Status Notification (Failure)
mailed-by:mail-sor-f69.google.com
signed-by:googlemail.com

 

[Sara EA]

My son, who works in IT security, once told me, "Mom, if you knew what I know about the internet, you'd never use it."  Scary that he's probably right.  Never, ever respond to those emails from people supposedly looking for a new tax pro.  Of the tens of thousands of tax preparers in this nation, they just randomly picked you?

[Catherine]