“Is this email really from the IRS?”
I get questions like this from people at my work quite often and I figured I would address and educate people about it so that you don’t fall for it.
Here is what the email looks like
Taxpayer ID: your_name-00000660988660US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):
Internal Revenue Service
review tax statement for taxpayer id: your_name-00000660988660US
Now the first thing people probably do is get a bit scared and maybe even wonder if it’s legitimate. The first thing to do when you get emails like this is think. Is the IRS really going to email you about this? No, they are going to mail you a physical letter about it informing you that you’re probably going to get audited.
Now if that doesn’t wipe your fears we can get some solid proof right here. If you hover your mouse over that link you should see what it goes to in the bottom of your browser somewhere. I have of course removed the link and put in a phrase, but I just want people to know where to look first of all.
Next up is the anatomy of a URL. Up at the top you should be seeing http://blog.notsunil.com/. That is because I own notsunil.com and that is what matters here. Actually what really matters here is reading URLS right to left. However, all we need to focus on is inbetween “http://” and the first ‘/’ after that. To the left of that first ‘/’ after “http://” is “.com” and if I were a goverment orginization, then I would have a “.gov”. Now you think you know where I’m going with this, but just wait. So no one can control the .gov or .org or .com part of their domain. That part is controlled by ICANN. What we can do is create a string of letters and numbers that may or may not form a word or phrase and put it in front of a .com and so forth. I purchased “notsunil” in the “.com” space and I can do so for others such as .biz and .net. I can’t however buy a “.gov” as that is reserved for goverement sites. Other countries of course have their own domain level. Japan has “.jp” so a “.com” in Japan is actually “.co.jp”, the UK has “.co.uk” and so on.
So I can’t choose anything for what comes after notsunil and before that 3rd ‘/’, but I control the notsunil.com domain which means I can make and put anything I want in front of notsunil. Such as this site which is blog.notsunil.com and my old WordPress site at tech.notsunil.com (which was orginally intended for these types of articles). So knowing this I can create www.irs.gov.notsunil.com and… well okay I hope no one would be fooled by that. But here is what the scammers do. They buy a domain name that is a random string like eaedejssad.org.uk (this is almost exactly the domain used for the IRS scam I was asked about today. I just added 2 letters). Now from this we can tell that this domain is supposedly in the uk, but other than that it’s just random letters. How is this useful? Well how about www.irs.gov.eaedejssad.org.uk Now that just might be enough to fool people who don’t know how domain levels work. Everything before that random string, including the www was created by them.
Here’s another trick that the information bar at the bottom of your browser is useful for. Say I put up a link or email a link to someone. I can have it say http://www.google.com/ and that looks perfectly normal right? But hover over it and you can see that it is clearly not google.com. Sometimes it might look simmilar though. So maybe it would be gooogle.com and people would just glance over it. Now some blog services such as Tumblr, actually have measures in place to prevent someone from doing this little switcharoo. It will actually replace the url you have typed with the actual URL. As you can see, however, their measures are easily circumvented by anyone who knows even basic HTML. In fact the method I used would probably pass right by most filters designed to look for this kind of thing (those curious can view source and ctrl+f “lmgtfy” to see how I did it). And if I came up with it, you can be sure the scammers have too. The only sure way to know is to hover over the link and look down there to make sure it’s right.
Well I hope this has armed some of you with the knowledge to protect yourself. And when in doubt… http://lmgtfy.com/
