9-28-07
Who's Sending E-Mail?
A two-for-one column this time, with both topics involving Internal Revenue Service communications.
Most people are familiar by now with phishing e-mails. These are the bogus ones you receive, claiming to be a security notice from a bank, or a receipt from Paypal for a nonexistent transaction coming out of your account, or something else designed to make you want to quickly click on a link and provide information.
They may try to motivate you with fear (“OMG, I’m getting ripped off!”) or helpfulness (“Oh, I got someone else’s important e-mail.”) or greed (“Wow, I have money coming!”). Getting you to act quickly and without thinking is the key.
Some phishers are now hiding behind officialdom, sending out fake notices from the IRS. These generally use the same type of wording as the fake bank e-mails, but are superficially more credible. Somebody sending an e-mail out purporting to be from Fifth Third Bank or Sun West Credit Union is using a shotgun: who knows if the target happens to be a customer of that bank? But pretty much anyone in America is a “customer” of the IRS.
And so it came to pass that a client of mine, normally level-headed and clear-minded about this stuff, almost bought into one of these. It was a beauty. Looked right, good spelling. Small refund ($93.60) since a big one might raise a question of “what did I screw up?”
But I have her well-trained as a client: any communication from the IRS comes to me before she replies.
Test Results
Careful examination reveals a few clues that it is bogus. The fraudster probably thought it was a nice touch of authenticity that it had a copyright notice for the Internal Revenue Service at the bottom. Those of us who work in the field know, however, that U.S. government documents are never copyrighted. (Inappropriately treated as classified, perhaps, but not copyrighted.)
Another clue was the odd phrase, “after the last annual calculations of your fiscal activity....” That particular use of “fiscal” would be favoured in Britain or Canada, but is rare in American speech.
And the clincher, of course, comes when you put your mouse cursor over the link they want you to click on. Your e-mail software will show you what you’re clicking to: in this case, a long string starting with a domain of www.adsuch.it. No U.S. government agency would use an Italian Web site.
Let me make this clear, so that no doubt remains:
The Internal Revenue Service does not communicate with taxpayers by e-mail. Period.
The first contact from the Internal Revenue Service to a taxpayer will almost always be by mail. That letter will have a “respond to” address or a telephone number to call that are easily verified on the IRS’s real Web site, or by phoning the IRS number published in a phone directory.
Only in rare—nay, exotic—circumstances do they make their first taxpayer contact by phone.
Scarcer still are the cases where IRS personnel just show up; those are mostly criminal investigations.
A Different Kind of Test
Among the reasons the IRS keeps itself sealed off from external e-mails is fear of being hacked. Their database would be the mother lode for any gang of identity thieves. So far, they have been successful.
When electronic means do not work, hackers turn to social engineering. They call someone at a company, claiming to be from inside the company (perhaps the IT department, trying to fix a network problem) and try to obtain user names and passwords or other sensitive information. Most larger companies have awareness training programs, and established procedures for reporting attempts at social engineering.
So what happens when you try social engineering on IRS employees?
The Treasury Inspector General for Tax Administration conducted a study last spring to find out, and the results were disheartening. They called 102 employees, claiming to be from the Modernization and Information Technology Services Help Desk. Investigators were able to convince 61 of those employees to provide his or her user name and change his or her password.
That’s appalling. So were some of the excuses offered when the employees were later asked why they had complied with the request. Eight admitted to knowing it was against the rules but changed their passwords anyway. Seven did not understand that changing their passwords to ones suggested by the caller was the same as disclosing it. I don’t know which is worse. (Eleven were smart enough to keep their heads down and just not answer the follow-up question.)
If You’re Small, Let Us Know
If you’ve ever been involved with filing the annual tax return for a non-profit organization, you may have noticed the line which says an organization is not required to file if “...its [annual] gross receipts are normally not more than $25,000.”
That’s a mighty odd word to use, “normally,” because it is so vague. How do you know when a small entity has crossed that threshold? I would have expected something more like, “exceeded $25,000 for the last three years.” But I wasn’t asked.
A recent law now requires these very small organizations to regularly check in with the IRS, by electronically filing a “postcard” return each year. The information to be provided is quite minimal—updated contact information and verification that the annual gross receipts are still normally $25,000 or less. Fail to file for three years, and the organization’s tax-exempt status is revoked.
I have not looked at the legislative history, but I suspect this was passed to address the unintended results of the $25,000 rule. The IRS does not know how many nonprofits are supposed to be filing tax returns each year. They have no idea how many organizations are ignoring them, so they don’t know which ones to chase. And their directory of tax-exempt entities almost certainly lists many that no longer exist.
Then again, the voices in some Senator’s head may have whispered that Osama bin Laden has 10,000 sleeper organizations, each fetching $20,000 a year. You never know.
Are there money or tax questions you would like to see discussed in this column? Let me know, at 2835 N. Sheffield, Suite 311, Chicago, IL 60657, or call 773/525-1778 (888/525-1778 toll-free outside the Chicago area) or e-mail greg@gregmermel.com.
Greg Mermel is a certified public accountant whose clients in the arts range from individual performers to major theatre companies and suppliers. He has also been known to produce theatre.