15
Apr

The IRS is warning people about the “largest ever” phone fraud scam targeting taxpayers. In the interest of learning more about this phone-based threat, Pindrop has investigated the attacks and, among other things, we have successfully posed as a victim and recorded the call. What follows is the complete audio and transcript of the interaction, and our analysis of some of the tactics that these fraudsters are employing. Note that in the audio files, we have distorted the voice of the victim (a Pindrop employee) to protect their identity.

Findings

  • Attackers are using magicJack VoIP phone numbers for consumers to “call back” as part of this attack. There is no reason to believe magicJack is in any way complicit with these attacks.
  • The attackers appear to be operating out of India and are seeking approximately $5,000 per successful attack.
  • The attackers are asking consumers to use GreenDot MoneyPak service to wire money to a Paypal account.
  • As compared to previous attacks involving impersonation of the IRS, this attack involves much higher volumes, with complaints in excess of 10 times higher than previously seen. We estimate the number of attack calls has already likely exceeded 450,000 in March.

Listen to the complete call.

Read the transcript.

Setup

The fraudsters use classic call scam techniques: they use a spoofed Caller ID that looks legitimate; they use urgency and threats to keep the caller on the line and force them to act quickly; they leave behind different numbers for “call backs” and they only use these numbers for a limited time.

True to form, the IRS fraudsters made the incoming number appear to be legitimate. Occasionally, they spoof the telephone assistance service number of the IRS, 1-800-829-1040. More frequently, they call from numbers from the same area as the victim, in order to entice the victim to pick up the phone thinking that the call is from someone they know. As heard in the audio, they try hard to keep the victim on the call. And they leave behind a phone number where they can be reached, known as a “call back” number. Typically, a fraudster buys a large block of numbers from a VoIP provider to serve as these “call back” numbers.

The fraudsters are constantly decommissioning these “call back” numbers. From time to time we also see them call from these numbers directly. In order to engage with them we first needed to identify what set of numbers are being used for this purpose and find one that was not yet decommissioned.

Tracking the Attackers

Pindrop maintains the Pindrop Reputation database, the world’s largest collection of phone number data and activity. To identify the phone numbers being used we mined our phone reputation service for IRS related activity. Among the numbers used, the majority was from the magicJack service, an inexpensive, online VoIP service. The most complained about magicJack numbers were non-toll-free numbers, for example: 202-506-9XXX. The line graph shows the number of magicJack numbers associated with IRS scams over time (the IRS is a consistent target of scams).  The data clearly shows that the number of phone numbers has gone up significantly this year. Through March, we have observed 523 numbers perpetrating this scam. The total number for all of 2012 was 780.  This supports the IRS’ claim that this is the  “largest ever” phone fraud scam.

IRS Phone Scam: Number of magicJack Numbers per Month

The number of complaints associated with these numbers has gone up even more drastically this year. Complaints are in excess of 2400 calls this year to date – all of last year the number of complaints we observed was 1047.

IRS Phone Scam: Complaints per Month

The number of phone numbers and complaints are good indicators that the number of victims being targeted has dramatically increased. In order to roughly estimate how many calls are being made, we can make the assumption that a call takes 5 minutes, which includes leaving voice mails and live conversations. That adds up to 12 calls an hour. We assume an 8 hour work day for each caller and that each caller is using one of the numbers. Therefore, each number could be making 96 calls a day. At 235 total numbers observed in March, the number of calls made could potentially be in excess of 450,000 in March.

Where are the attacks coming from?

We identified a smaller set of phone numbers that our systems had indicated were still active in this scam. We then looked at what time of day these numbers are most active. We used that to maximize our chances of interacting with these fraudsters. As seen in the temporal activity graph below these fraudsters work east coast hours.

IRS Phone Scam: Hours of Operation

To determine if the attackers are actually operating in the Eastern US, we analyzed the call audio with Pindrop’s phoneprinting technology, which, among other things, can determine the origin of a call based on audio artifacts. In this case, the audio analysis showed clearly and consistently that the calls are originating from outside the US and are most likely calling from India.

Using a brand-new phone, which had not been used for any other purpose, we finally called (202) 239-7034 and after a couple of attempts we were talking with the fraudsters.

Interaction

For a rare and engaging window into how phone scams work, we highly recommend listening to the audio. If you’re short on time, read the transcript. We would like to highlight a few moments that we found the most revealing about their modus operandi. Click on the player for the audio excerpt:

(0:25) – They make some basic checks to determine if the victim is someone they have interacted with previously. We suspect this is to provide the fraudster context to make the conversation real for the victim.

(1:20) – They claim to be the Federal Investigation Department, a legal department working for the IRS

(2:05) – They do NOT target Americans. They are primarily targeting immigrants.

(3:45) – Tries to see if a third party (accountant) files taxes. Claims mistakes in taxes.

(4:01) – Scam starts. Sees if there are any overseas transactions.

(5:32) – Claims $5,868 pending taxes. We created a fake victim and he already owes taxes.

(6:10) – Threat of Arrest Warrant issued.

(7:30) – Get supposed name from scammer “Steve Parker”.

(9:35) – They claim to not accept standard payment types (debit/credit cards), only Tax Pay Voucher from a Government Store such as Home Depot and Food Lion.

(11:50) – Ask for zip code and then get a store close to that zip code.

(13:30) – They settle for $2,400 for warrant cancellation fees when we say we only have $2,600.

(14:20) – They are trying to make the victim stay on the phone while they get the money together.

(17:20) – Transferred to the accounting department “Brian”.

(18:15) – They try to justify why money has to be wired to the restitutions Paypal account via prepaid card.

(20:12) – Their card of choice is GreenDot MoneyPak.

 

Post-Call

After this call, the scammers tried several attempts to call back throughout the night and morning.  This was not surprising to us; the scammers probably assumed that they had almost “closed the deal” on this particular victim. However, the next afternoon, our employee received a call alleging to be from GreenDot asking if he had purchased a MoneyPak card recently.  The caller stated that to use the card, activation was required and asked our employee to provide him with the number on the back to gain access to the money on the card.

This leads to some really interesting questions: Was this caller really from GreenDot? If so, how did they obtain the phone number that our employee had used, given that we had just acquired this phone and not disclosed its number anywhere? If the caller was not from GreenDot, is this just another play on part of the scammers to obtain the money on the card?

We continue to investigate this attack and monitor these attackers.

Peter Casanova, Raj Bandyopadhyay, Vijay Balasubramaniyan

11 Responses to Largest IRS Phone Scam Likely Exceeded 450,000 Potential Victims in March

  1. Angela

    They will take visa and mastercard now. I have been messing with them for days, calling them up with fake names and “paying” them with fake credit card numbers.

    I will do anything to take these idiots down! I have spoke with the IRS, FBI and TIGTA.

    (415)898-5350

  2. AM

    I also received this call. My parents had been receiving the scam call alleging that it was from the IRS for months. Most of the time the scammers would leave a voice mail and ask for a call back. Almost all of the Indian families in our area have also been getting these scam calls.

    However, the last time they called, they said they were calling from the US embassy regarding a visa issue. My mom was confused and gave me the phone. I’m aware that the IRS corresponds through the mail so I immediately knew that it was a scam and I asked which number they were calling from and asked for an employee identification number. Thereafter, I was told that I was being transferred to the legal department.

    Once connected, I was asked if i was the person that they were calling for. I answered, with “maybe.” At that point the person on the line got angry and yelled “are you playing with me” a few times. I said “yes,” and then he got silent and eerily said “oiy madhur chod,” meaning “mother fucker” in hindi and then disconnected the phone. It’s been a month and we haven’t received a call back from the scammers. Before this, we used to get a few voicemails every week or two for months. Most of the time they called really early in the morning around 5-7am.

  3. Tim

    Received a pre-recorded message twice today from 202-506-9705. This is clearly a SCAM and they claimed to be the IRS. Out of curiosity I called the number back. When I finally connected with someone, the individual had an Indian accent & indicated that I owed the IRS $1,874 (which was a lie). He clearly read from a script & spoke very quickly. He proceeded to tell me that in order to avoid legal action, I needed to go to a local grocery store (such as Kroger’s) to make a payment (and they only take cash). However, I needed to provide him my cell phone number & I had to stay on the line with him to complete the transaction. When I indicated that I had never heard of such an arrangement with the IRS, I asked to speak w/ his manager. Another man with an Indian accent answered and when I indicated that I had never heard of such an arrangement with the IRS, he hung up the phone.

  4. Cathy

    I have received a phone call this morning 202-506-9705 stating the call came from IRS, lol could not owe the IRS any money for I don’t have enough for myself much less the IRS, well anyway it was a voice tape stating that I call them back and very threathing that I owe the IRS and needed to get back in touch with them and so I did and also received another voice with a recorded message, and so I left my message unkindly stated and have reported this to the BBB/POLICE AND FBI due to it was very threathing to me …thank you for posting this and letting me know who this SCAM is coming from for I have the Reverse Number look up and it is not Washington you are correct overseas somewhere???but I do hope we catch them before they get away…thank you once again

  5. Janice Fisher

    I received a call saying I had to go to a Rite Aid at 282 8th Ave and get a green Dot vouch Pak The number that called me was 573-693-2884 I almost went to get the couchers and then I realized this was not the way our goverment does business. When I told the person my phone was running out of battery He told me if I my phone hung up he was sending the Federal Marshall to my place of employment to arrest. I then realized this had to be a scam and look it up on the internet (google) and read about the scams

  6. cheryl

    Received a call this morning, threating me, telling me I was in a lot of trouble with IRS, transfers me to some other bad speaking english person, says hes Officer Steven Clark, badge # 10470 his call back # 202-239-7184. I called my sheriffs dept and they said they are scammers, do not give any info….its a shame.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>