The bad guys are in full force this tax season. With so many people doing their taxes online this year, the phishing community is out to snag as many victims as possible.

Even if you don't do your taxes online, the phishers still trick lots of people into entering sensitive tax information that can lead to theft, ransomeware hijacks, identity theft, or worse.

What Is Phishing?

"Phishing" is when you get an email that looks legitimate, but asks you to click a link and enter sensitive information that the bad guys can use to steal information from you.

Typical phishing scams say something like, "Your bank account may have been compromised. Click here to verify your account, etc." The link will then take you to a page that looks exactly like your bank's website, but isn't. Many people are lured into entering their bank login information, and that's when the bad guys have you.

Have a look at this email:

Looks official, right? It's not.

Clicking that link would take you to a site that looks just like the real Bank of America site and ask you for your login. Now the bad guys have full access to your bank account.

During tax season, the range of phishing possibilities are even more vast than this, making it even harder for the average person to detect what's real and what isn't.

Here's a tricky one the folks at TurboTax are warning their customers about:

Can you spot the fake one?

It's the first one. Don't worry, I couldn't either. And that's the point. Despite your best efforts, you still might be a target of phishing attacks this tax season.

How To Protect Yourself

Here are some good tips to avoid phishing scams:

• Don't open any emails, or click on any links, from an email address you don't know.
  
  
• If you get a message that looks official from your bank, don't click on the links within the email. Instead, go to your browser and login to your bank account the way you normally would. If your bank actually has something urgent for you to attend to, then there will be a notification waiting for you in your real bank account.
  • Still not sure? You can always call up your bank and ask them if they sent you an email.
    
    
• If you've filed your taxes online, or used any kind of tax preparation software, and you get asked for any kind of "password recovery" or something along those lines, go and login to your tax account the way you normally would and check if things are OK. 
  • The most obvious thing to ask yourself is, "Did I request this information?" You probably didn't, so don't risk clicking it.
    
    
• Same goes for anything "official" from he IRS. If the IRS really needs to contact you, they generally do it the old-fashioned way: with paper mail. So, if you get an email from the IRS, make sure it has some kind of information identifying you first. Plus, you can always call them to make sure they really need something from you. Chances are, if they do, they've already sent you something in the mail.
  
  
• If you do accidentally click, all is not lost. At this point, you need to stop and pay close attention to the URL in your browser. The URL should be from whichever company/agency is trying to contact you.
  
  
  • Let's examine a few examples: www.password-reset.irs.gov.rq345.com/IRS-Tax. It almost looks legitimate, doesn't it? How do we know it's not really from the the IRS? An IRS URL looks like this: https://www.irs.gov/uac/IRS-Tax-Tips. "irs.gov" is the last part of the URL before a "/". In the fake example above, the URL ends in "irs.gov.rq345.com" before the "/". "rq345.com" is not the IRS website.
    
    
  • How about this one: https://myturbotax.axklomix.com/. I've never heard of "axklomix.com" have you? Here's what a real TurboTax URL looks like: https://myturbotax.intuit.com/. "intuit.com" are the people that make TurboTax, so that's where you would access TurboTax if that's how you're filing your taxes.
    
    
• Your final line of defense comes in only one form: antiphishing protection. Antiphishing protection is built-in to some antivirus programs and most Internet Security suites. It works like this: if you do accidentally click a phishing link from your email, your antivirus software should kick in, identify the phishing link, then block you from viewing the site (to prevent you from accidentally giving them any sensitive information).

During our rounds of testing, the top three Internet Security suites that scored a perfect 100% in blocking every phishing site we threw at them where:

VIPRE Internet Security 2016

We particularly like that VIPRE completely blocks the site keeping you away from danger.

ESET Smart Security 9

While ESET scored a perfect 100% in our tests as well, we'd like to see them remove the "Ignore Threat" option to prevent accidental damage.

BitDefender Internet Security 2016

BitDefender scored a perfect 100% as well, but again, we'd like to see them completely block the page with no option to continue.

All other brands we tested scored 90% or below.

In the end, being diligent and alert when it comes to phishing attempts is your best line of defense. But despite your best diligence, there's always going to be that one that slips past you. That's when you need to make sure you've got the best Internet Security protection available with the best anti-phishing protection built-in.

Here are our top three recommendations for excellent protection against tax-season phishing this year:

VIPRE Internet Security 2016

ESET Smart Security 9

BitDefender Internet Security 2016

Even if you already have antivirus or Internet Security software installed, it might be time to make a change now. A few dollars spent could save you hundreds or even thousands from an accidental phishing click later on.

 *https://www.irs.gov/uac/Tax-Scams-Consumer-Alerts

Alexandra from Delaware called in asking, "I heard something on the radio about new threats from online 'spearphishing' attacks, and I'm looking for antivirus software that protects against them.

"What software does that?"

It's no surprise that people are starting to hear stories like the one Alexandra heard because even the FBI has been writing about spear phishing for some time now.

Since there are a couple of questions here, let's take 'em one at a time.

What's a "phishing" attack?

Before we look at spear phishing, let's look at garden variety phishing attacks.

Phishing attacks come typically (though not always) as email. In some, though not all cases, they're flagged as spam.

Regardless of whether or not they're flagged as spam, the goal of the email is for the scammers to trick you.

They want you to reveal your bank, credit card, social security, or other personal info so they can steal your cash or your identity.

Now, what's a spear phishing attack?

Thus far spear phishing mainly happens to people at their workplace. A devious criminal gets ahold of YOUR specific information or your company's.

Often, they'll take their time carefully learning about your company, the employees, who's who in it and such so they can craft a perfect email.

Who's the CFO or comptroller? Who's the CEO? Who's the Chief Marketing Officer? And so on.

Then they forge an email from one person with authority to another. Usually there's nothing outwardly fishy about it.

Sometimes, if you're observant, one little thing will fail to pass muster.

For instance, Joe in accounts payable gets a forged spear-phished email that's supposedly from the CFO saying,

What the spear-phisher does is a couple of things:

1. They give urgency. "They won't start work until..."
2. Mary probably isn't even leaving early, but by telling Jane she is leaving early, it makes it so Joe isn't supposed to contact Mary with questions.

Instead, Joe is instructed BY the spear phisher to contact the spear phisher(!) with questions.

In some cases, Internet security software can help prevent these attacks. These are rare and only happen if the phisher has sent Joe a link to a bogus bank or other website.

So, in most cases, your antivirus software can't protect you.

What can? Knowledge.

In most cases, the only way to prevent these attacks is *thinking* about things and questioning the validity of the content of emails.

Here's a (very) quick how-to:

STEP 1:

Does everything look legit in the email? Sometimes a spear phisher will fail because of tiny, tiny details like how Mary signs her name. Maybe she usually signs emails as --M. Maybe she always includes a certain signature file.

If one comes in now signed "Mary," or with no sig file, you need to start questioning more deeply.

STEP 2:

Check the email "from" and "reply-to" addresses. Are they legit?

STEP 3:

Even if Mary *is* leaving early, surely anyone sane wouldn't mind getting a call from Joe to confirm an outgoing wire for $74K. If Mary gets upset, she has no business being CFO.

BONUS STEP 1:

Put in place an set-in-stone absolutely iron-clad system for outgoing expenditures.

In one firm where I was CTO, requests for wires HAD to be done IN person ON paper and had to be signed by two people, the requestor and a C-level executive, typically that person's boss. Wires were sent twice weekly, no exceptions.

Yes, this created (rare) problems, but they were far smaller than the problems created having money stolen.

Doing it this way meant: we had a process. We had a clear chain of responsibility. And, we were never, ever victims.

BONUS STEP 2:

Setup and enforce the use of digital signatures, like those from OpenPGP or GnuPG. It will take work to setup an email signature system like one of these. It will. Aside from the work involved in initial setup, they're not a silver bullet. Incredibly helpful, yes. A silver bullet no.

Even still, they help, and no matter what it's still less work—and less expensive—than trying to recover lost funds, which seldom works.

By a bit of serendipity, Josh and I each got phishing attempts in the past few days.

Granted, we get a lot of phishing and malware emails. After all, we have secret email addresses we use to intentionally collect malware and phishing attempts the bad guys are sending.

It lets us see what the latest attacks are and lets us accurately test the antivirus software against the latest threats.

What made these particular phishing attacks different was they happened by phone.

Since it was, I got to have a bit of fun with the phisher.

And, even though you might get a good laugh, hopefully, it'll help you to remember to be as wary of phone calls as you are now of clicking links in emails.

Here's what happened...

I answered the phone at my office as I usually do, "Hello, this is Kevin."

"Hi, Kevin. This is 'Ron' I'm with the Wells Fargo fraud team. We've detected unusual activity on your account.

"Have you travelled to London recently?"

Since I don't have a Wells Fargo account, the gig was up right there for him, but I decided to have a little fun.

"Oh, gosh, I'd love to go to London!" I said.

Thrown by my reply, the best he could muster was, "Yessir. And have you been there in the past two weeks?"

Fish & Chips (with a Texas Accent)

At this point, I decided to give him the best Texas accent I could muster.

"Well, let's see. I guess you might say. I have done a fair bit of travelin'. First I was—sorry, we were—in Leicester. Had a wonderful fish-and-chips at a pub richt thar.

"My wife, girlfriend, and our thirteen kids, well technically I'm not sure if four of the rugrats are mine, but after five or

six, what's another?

"Love 'em all just the same.

"So we were in Leicester, the wife, girlfriend, kids and me, when one of the kids decides to wander out of the pub. Shooooot, it musta been two in the mornin'.

"Don't know what the little bugger was thinking, so he wanders out into the street. No idea how long he was gone.

"I guess the coppers must've scared him because he wandered back in. Knees looked a bit skinned, but the girlfriend tended him, so it was no concern of mine.

"After Leicester, we made our way to Brisbane for the night. Wonderful city."

"Pert near a fortnight there and we were off to Timbuktu, which if you've never been, is a real city. Sure as shootin.'

"Good luck trading your money there though, let me tell you."

How 'bout an American Express?

"So glad I had my American Express card. Don't leave home without it, I always say. So you're with American Express you say?"

"Uh. Yessir. I am. Your travel to, uh, these places. It. Uh. It has set off fraud warnings in our system."

"I need to confirm your card is in your possession. Do you have it?"

"Oh sure. Let me dig around for it. One of the kids must've just used it for some Minecraft thing or another."

At this point I put the phone down, found some sounds online of kids playing and put the phone next to the speakers, while pretending to rustle papers around.

Those Doggone Kids

Every couple of minutes, I'd shout some obscenities with a random kids name.

Every few minutes I'd go back to the phone, apologize, and tell him to hold on just another minute.

I could tell from the exasperation in his voice, my gig was almost up, but I wasn't done with him yet.

Time for a Boston Accent & a Discover Card

Switching now to a Boston accent, I went on,

"Gosh, I'm sorry. The wife and girlfriend left a while ago for some a little shaawpping. They took one of the Ferraris and left me with awl these kids.

"I just don't know where my Discover khad is."

"Oh, that's no problem. We'll just look it up with your social security number."

Darn... Maxed out the Social Security Card, too??

"My social security number? Oh, heck, I stopped using that credit caaad years ago! Maxed that thing right out. Can we use something else?"

"Sir, your social security number isn't a credit card."

"Oh right. That thing. Haven't used it in years either. I don't think I can find it."

"You don't know your social security number??"

"Well, not since little Frankie ran over the neighbah's pet alligata back in '86. Had to get the heck out of Dawdle afta that. Moved to Canada for a couple a years.

"Let me tell you, getting fifteen kids, the wife, the girlfriend, AND the Ferraris across the border took some doing.

"Oh wait, we had the Porsches then. Air-cooled engines. Great sound.

"So, no, I guess I don't really know my social security number anymore. Isn't there anything else??"

At this point, 'Ron' was nearly in tears. It was bliss.

"Well, we could use your checking account, full name, and address. The one you use to make payments with."

"Oh, right, sure thing. Easy. Peasy."

Those Pesky Kids Are Back / The Surfer - Valley Girl Arrives...

At this point, I repeated the kids shouting / playing sounds routine and pretended to rustle through belongings and occasionally shouted random kids names again.

Upon returning, I'd gone part California surfer, part Valley Girl.

"Like. I can't find the doggone check book either. Don't that like just take the cake, dude.

"I bet those two are really going to do some damage. Last time they went out together with the Visa and my checkbook, they said they were just going for a manicure but came home with a new Ferrari.

"Love those two.

" Heck, with all the kids' puke stains on the back seat, I guess it was time, man. Thing probably had 4,000 miles on it anyway.

"You know, now that I think about it, OMG! I'm not sure if they even got manicures that day."

"Well, let's confirm the account details we do have here on file, and I can call later to get the rest of the information."

"Oh. Right. Sure."

"...your full name as it appears on your account, sir?"

"Kevin Hfuhruhurr Armani Dior Steve Stifler de la Cruz IV."

Hfuhruhurr can be a real bugger to spell apparently.

Exasperation level: 10/10.

"Street address"

"Well, we don't really have a 'permanent address', air quotes!! ...you might say...Not with like the, you know, like, alligator incident in '91 and all."

Are You Telling Me the Truth?

"Sir. Are you telling me the truth? Or are you just making things up now?" he pleaded.

"I'm telling as much truth as you are."

"OK, I guess the gig is up for both of us."

"What's a 'gig', sir?"

"In this case, it means 'scam." I said. "Let's drop the bullshit. You called me trying to steal from me. You're not my bank. You're a scammer. Where are you, someplace in India?"

The Long Silence: Part I

After considering his options, 'Ron' decided to come clean.

"Yes. I'm in India."

I pressed on, "And this call, it's a total scam, isn't it?"

"Well. I wouldn't call it that."

"Oh, right. You're from my bank. Wells Fargo, you said. Here's the funny thing: I don't even have an account there."

'Ron' went on to confess he'd been doing it for about three months, and that the money wasn't great, but it was enough to feed his family.

I asked him how he'd feel if someone stole money from his family, and they couldn't eat.

"I never thought of it that way..." he began, "The banks pay everyone back. No one gets hurt."

"Hate to burst your bubble, 'Ron,' but that's not how it works. When you take money from someone's bank account, it's a looooong process for the victim. It takes weeks to even try to get the money back.

Sometimes, the banks say, "No," and the victim loses the money.

"There's really no difference between what you're doing and a mugger on the street: YOU are a thief telling money from people."

The Long Silence: Part II

After another long silence, I added, "You can try to justify it to yourself anyway you want, but you're a thief, 'Ron,' plain and simple. Does your wife even know what you're doing."

"No. She thinks I'm in tech support."

"Huh. That makes you a thief and a liar. A liar to your own wife. If you're earning enough to make a living stealing from people, you must be pretty convincing. You must be a pretty good salesman."

"I guess I am?" he said, almost asking me if I thought he was.

The Long Silence: Part III

"I guess... I just... I don't know..." he whispered, "I don't know what to do, sir."

"Maybe you should quit this shit, stop stealing from people, and go get an honest job, perhaps in sales." I offered, "Then whether or not you come clean to your wife is up to you, but at least come clean with yourself. Get out of there, brother."

"Thank you for your time, sir."

The Takeaway

The scams are out there. They take many forms.

Sometimes phishing scams come by email; sometimes they come by fax; sometimes they come by phone or even text message.

Even if it's a phone call, fax, or text, there's no reason to trust it. Call 'em back.

And, if you think you can trust your Caller ID: don't. It's a fools errand.

"Spoofing" Caller ID so that it looks like the call is coming from a different number is trivial. Typically, scammers like 'Ron' really just need a T1 phone line.

After that, they can make the caller ID say anything they want.

In fact, in a lot of ways it's actually easier to fake a phone number than it is to setup a whole fake website to do phishing.

On top of that, nearly all email providers are actively working to thwart the bad guys and prevent their emails from getting through. When was the last time your phone company even lifted a finger to prevent a fake or harassing phone call from getting through?

Add to that, the challenge of getting by the anti-phishing filters built into most Internet Security Suites, and setting up a T1 line is downright easy.

Consider this, too: if you get a call from your bank, and there's a legitimate issue, they'll understand your concern for security, and your wish to call them back.

On the other hand, if the caller gets agitated at this suggestion, it's all the more reason to be suspicious.

UPDATE: Looks like I'm not the only one getting these emails!

Dancho Danchev with Webroot also has a great blog post on these email. His is called, Spamvertised 'US Airways' themed emails serving client side exploits and malware

One bit of good news/bad news on them: we can be even more certain that the domain owner shown in my post is an innocent victim, too, as Dancho's blog shows many other URLs being used for serving the malware. In fact, his blog post doesn't even mention the domain name that was in the email I received.

---

Sometimes, you really just have to laugh.

I got a phishing spam today. Really, you might even call it a spear-phishing spam, given that it had my name and email address correct.

It was an email that looked every bit like a legitimate Check-in Confirmation email from US Airways. The problem: I'm not traveling anytime soon, so I know it's a fake.

Here's what it looked like:



Examining the link shows it was destined to go to an Indian website (.in) that's registered with the following info:


Whether or not the registrant name is legit is anyone's guess, but it's hosted at this IP 184.168.172.1 by GoDaddy.

It's exceedingly rare that anyone uses their real info to host a phishing site--much less one hosted with a legitimate company like GoDaddy, so the domain has probably been compromised. Either that or the registrant name is completely falsified.

The bottom line: don't click on links in emails, even if you think they're legit and from someone you know.

Instead, by doing a "Right Click," you can copy the link out of the email and paste it into Notepad. From there, it doesn't take a rocket scientist to see this link is going to an Indian website (.in) and not to US Airways.

For a quick-and-dirty email, one has to wonder what kind of success rate they're having with this particular email. After all, it is a relatively clever bit of social engineering, some people will, no doubt, fall for.

Even still, if you do get sucked into clicking a link like the one in this phishing email (or click it accidentally), this is where good antivirus software can make all the difference.

Here's what happens when you click this particular link, if you're running the 2012 VIPRE Internet Security Suite:



As you can see, VIPRE 2012 blocked it as a trojan, so there should be little doubt in your mind now that between

1. the "US Airways" link mysteriously going to a .in website...
2. it being registered to an "ian jamieson..."
3. and VIPRE ISS blocking the first thing on the site as a trojan

This is a malicious website and a phising/spear-phishing attack.

Now, it's time to contact GoDaddy to get the site yanked before more people get infected.

Oh, and in case you're wondering here are the threat details from VIPRE: