15
Apr

The IRS is warning people about the “largest ever” phone fraud scam targeting taxpayers. In the interest of learning more about this phone-based threat, Pindrop has investigated the attacks and, among other things, we have successfully posed as a victim and recorded the call. What follows is the complete audio and transcript of the interaction, and our analysis of some of the tactics that these fraudsters are employing. Note that in the audio files, we have distorted the voice of the victim (a Pindrop employee) to protect their identity.

Findings

  • Attackers are using magicJack VoIP phone numbers for consumers to “call back” as part of this attack. There is no reason to believe magicJack is in any way complicit with these attacks.
  • The attackers appear to be operating out of India and are seeking approximately $5,000 per successful attack.
  • The attackers are asking consumers to use GreenDot MoneyPak service to wire money to a Paypal account.
  • As compared to previous attacks involving impersonation of the IRS, this attack involves much higher volumes, with complaints in excess of 10 times higher than previously seen. We estimate the number of attack calls has already likely exceeded 450,000 in March.

Listen to the complete call.

Read the transcript.

Setup

The fraudsters use classic call scam techniques: they use a spoofed Caller ID that looks legitimate; they use urgency and threats to keep the caller on the line and force them to act quickly; they leave behind different numbers for “call backs” and they only use these numbers for a limited time.

True to form, the IRS fraudsters made the incoming number appear to be legitimate. Occasionally, they spoof the telephone assistance service number of the IRS, 1-800-829-1040. More frequently, they call from numbers from the same area as the victim, in order to entice the victim to pick up the phone thinking that the call is from someone they know. As heard in the audio, they try hard to keep the victim on the call. And they leave behind a phone number where they can be reached, known as a “call back” number. Typically, a fraudster buys a large block of numbers from a VoIP provider to serve as these “call back” numbers.

The fraudsters are constantly decommissioning these “call back” numbers. From time to time we also see them call from these numbers directly. In order to engage with them we first needed to identify what set of numbers are being used for this purpose and find one that was not yet decommissioned.

Tracking the Attackers

Pindrop maintains the Pindrop Reputation database, the world’s largest collection of phone number data and activity. To identify the phone numbers being used we mined our phone reputation service for IRS related activity. Among the numbers used, the majority was from the magicJack service, an inexpensive, online VoIP service. The most complained about magicJack numbers were non-toll-free numbers, for example: 202-506-9XXX. The line graph shows the number of magicJack numbers associated with IRS scams over time (the IRS is a consistent target of scams).  The data clearly shows that the number of phone numbers has gone up significantly this year. Through March, we have observed 523 numbers perpetrating this scam. The total number for all of 2012 was 780.  This supports the IRS’ claim that this is the  “largest ever” phone fraud scam.

IRS Phone Scam: Number of magicJack Numbers per Month

The number of complaints associated with these numbers has gone up even more drastically this year. Complaints are in excess of 2400 calls this year to date – all of last year the number of complaints we observed was 1047.

IRS Phone Scam: Complaints per Month

The number of phone numbers and complaints are good indicators that the number of victims being targeted has dramatically increased. In order to roughly estimate how many calls are being made, we can make the assumption that a call takes 5 minutes, which includes leaving voice mails and live conversations. That adds up to 12 calls an hour. We assume an 8 hour work day for each caller and that each caller is using one of the numbers. Therefore, each number could be making 96 calls a day. At 235 total numbers observed in March, the number of calls made could potentially be in excess of 450,000 in March.

Where are the attacks coming from?

We identified a smaller set of phone numbers that our systems had indicated were still active in this scam. We then looked at what time of day these numbers are most active. We used that to maximize our chances of interacting with these fraudsters. As seen in the temporal activity graph below these fraudsters work east coast hours.

IRS Phone Scam: Hours of Operation

To determine if the attackers are actually operating in the Eastern US, we analyzed the call audio with Pindrop’s phoneprinting technology, which, among other things, can determine the origin of a call based on audio artifacts. In this case, the audio analysis showed clearly and consistently that the calls are originating from outside the US and are most likely calling from India.

Using a brand-new phone, which had not been used for any other purpose, we finally called (202) 239-7034 and after a couple of attempts we were talking with the fraudsters.

Interaction

For a rare and engaging window into how phone scams work, we highly recommend listening to the audio. If you’re short on time, read the transcript. We would like to highlight a few moments that we found the most revealing about their modus operandi. Click on the player for the audio excerpt:

(0:25) – They make some basic checks to determine if the victim is someone they have interacted with previously. We suspect this is to provide the fraudster context to make the conversation real for the victim.

(1:20) – They claim to be the Federal Investigation Department, a legal department working for the IRS

(2:05) – They do NOT target Americans. They are primarily targeting immigrants.

(3:45) – Tries to see if a third party (accountant) files taxes. Claims mistakes in taxes.

(4:01) – Scam starts. Sees if there are any overseas transactions.

(5:32) – Claims $5,868 pending taxes. We created a fake victim and he already owes taxes.

(6:10) – Threat of Arrest Warrant issued.

(7:30) – Get supposed name from scammer “Steve Parker”.

(9:35) – They claim to not accept standard payment types (debit/credit cards), only Tax Pay Voucher from a Government Store such as Home Depot and Food Lion.

(11:50) – Ask for zip code and then get a store close to that zip code.

(13:30) – They settle for $2,400 for warrant cancellation fees when we say we only have $2,600.

(14:20) – They are trying to make the victim stay on the phone while they get the money together.

(17:20) – Transferred to the accounting department “Brian”.

(18:15) – They try to justify why money has to be wired to the restitutions Paypal account via prepaid card.

(20:12) – Their card of choice is GreenDot MoneyPak.

 

Post-Call

After this call, the scammers tried several attempts to call back throughout the night and morning.  This was not surprising to us; the scammers probably assumed that they had almost “closed the deal” on this particular victim. However, the next afternoon, our employee received a call alleging to be from GreenDot asking if he had purchased a MoneyPak card recently.  The caller stated that to use the card, activation was required and asked our employee to provide him with the number on the back to gain access to the money on the card.

This leads to some really interesting questions: Was this caller really from GreenDot? If so, how did they obtain the phone number that our employee had used, given that we had just acquired this phone and not disclosed its number anywhere? If the caller was not from GreenDot, is this just another play on part of the scammers to obtain the money on the card?

We continue to investigate this attack and monitor these attackers.

Peter Casanova, Raj Bandyopadhyay, Vijay Balasubramaniyan

19 Responses to Largest IRS Phone Scam Likely Exceeded 450,000 Potential Victims in March

  1. Angela

    They will take visa and mastercard now. I have been messing with them for days, calling them up with fake names and “paying” them with fake credit card numbers.

    I will do anything to take these idiots down! I have spoke with the IRS, FBI and TIGTA.

    (415)898-5350

  2. AM

    I also received this call. My parents had been receiving the scam call alleging that it was from the IRS for months. Most of the time the scammers would leave a voice mail and ask for a call back. Almost all of the Indian families in our area have also been getting these scam calls.

    However, the last time they called, they said they were calling from the US embassy regarding a visa issue. My mom was confused and gave me the phone. I’m aware that the IRS corresponds through the mail so I immediately knew that it was a scam and I asked which number they were calling from and asked for an employee identification number. Thereafter, I was told that I was being transferred to the legal department.

    Once connected, I was asked if i was the person that they were calling for. I answered, with “maybe.” At that point the person on the line got angry and yelled “are you playing with me” a few times. I said “yes,” and then he got silent and eerily said “oiy madhur chod,” meaning “mother fucker” in hindi and then disconnected the phone. It’s been a month and we haven’t received a call back from the scammers. Before this, we used to get a few voicemails every week or two for months. Most of the time they called really early in the morning around 5-7am.

  3. Tim

    Received a pre-recorded message twice today from 202-506-9705. This is clearly a SCAM and they claimed to be the IRS. Out of curiosity I called the number back. When I finally connected with someone, the individual had an Indian accent & indicated that I owed the IRS $1,874 (which was a lie). He clearly read from a script & spoke very quickly. He proceeded to tell me that in order to avoid legal action, I needed to go to a local grocery store (such as Kroger’s) to make a payment (and they only take cash). However, I needed to provide him my cell phone number & I had to stay on the line with him to complete the transaction. When I indicated that I had never heard of such an arrangement with the IRS, I asked to speak w/ his manager. Another man with an Indian accent answered and when I indicated that I had never heard of such an arrangement with the IRS, he hung up the phone.

  4. Cathy

    I have received a phone call this morning 202-506-9705 stating the call came from IRS, lol could not owe the IRS any money for I don’t have enough for myself much less the IRS, well anyway it was a voice tape stating that I call them back and very threathing that I owe the IRS and needed to get back in touch with them and so I did and also received another voice with a recorded message, and so I left my message unkindly stated and have reported this to the BBB/POLICE AND FBI due to it was very threathing to me …thank you for posting this and letting me know who this SCAM is coming from for I have the Reverse Number look up and it is not Washington you are correct overseas somewhere???but I do hope we catch them before they get away…thank you once again

  5. Janice Fisher

    I received a call saying I had to go to a Rite Aid at 282 8th Ave and get a green Dot vouch Pak The number that called me was 573-693-2884 I almost went to get the couchers and then I realized this was not the way our goverment does business. When I told the person my phone was running out of battery He told me if I my phone hung up he was sending the Federal Marshall to my place of employment to arrest. I then realized this had to be a scam and look it up on the internet (google) and read about the scams

  6. cheryl

    Received a call this morning, threating me, telling me I was in a lot of trouble with IRS, transfers me to some other bad speaking english person, says hes Officer Steven Clark, badge # 10470 his call back # 202-239-7184. I called my sheriffs dept and they said they are scammers, do not give any info….its a shame.

  7. Tom

    Received such a call telling me I was involved in TWO tax fraud issues and that notices had been left on my door on two dates. Then I was told that the IRS had jacked into my computer and discovered the tax fraud info. Then I knew it was fake as I have nothing on my home computer re tax info. All at my tax guy’s place. Indian accent and very mean and loud. When I continued questioning, she hung up after telling me that the sheriff was on the way to arrest me. Just who are these assholes anyway??? Is the FBI involved? Is there a victim hotline?

  8. Gemma Calimer

    I received a voicemail message from someone with an Indian accent purporting to be from the IRS to call (202) 241-0089 to avoid having further action taken against me. When I told him I thought this was a fraudulent call, he hung up. I called the number again and he told me not to call again, that I would get more information in the mail. HaHa. I have tried calling a few more times and first got a busy signal and then a generic ad for MagicJack. Similar story for a call from (202) 506-9726.

  9. Wendy Roberts

    Just received 2 similar calls from 202-280-7705 – caller id said WASHINGTON DC. It was a pre-recorded message by a Indian-sounding female. I recorded the second call which went as follows:

    “[jumbled - unclear] …the issue at hand is extremely concerned to you.,, my name is Kelly Jones and [hard?] line to my division is 202-280-7705. I repeat 202-280-7705, Now if you don’t return the call and I don’t hear from your attorney either then the only thing I can do is wish you a good luck as the situation falls on you.

    Again, this message is for you and this is Kelly Jones from the Internal (or did she say ‘Internet’?) Revenue Service Department. Good bye and take care.”

    Sounded like a threat to me!

  10. Rob

    I received one of these today, robocall saying to call “Julie” at the IRS. Call immediately as the IRS is initiating court action against you. 202 DC number.

    Called back and same story as folks are telling above, very threatening, abusive, thick Indian accents. I talked to 2 different males. I recognize some of the script they were reading from the Pindrop transcript.

    They were wanting $6878 and threatening huge fines and years of jail time, seizure of all property, suspend driver license, etc. if it went to court. Pay within the next 30 minutes and we’ll have an out of court settlement. I hung up when they transferred me to a “restitution” department and this person demanded I “stay on the line as I walk you through going to Safeway for a tax pay voucher, or I’ll contact the DMV to cancel your license and send officers to arrest you”.

    I submitted a complaint to ftc.gov/complaint.

  11. Glock

    Got call from Mike Wilson at 281-898-6578 (magicjack) with the usually IRS claim as other stated in bad Indian accent. Called back on a spoof line and new name.
    A David Wilson started by asking for the number that was called, then name. When I gave my new name and number, after a few clicks, said the couldn’t find me. So this tells me that they are calling from a LIST of some sort, targeting people. He said he is from the criminal investigation in Houston.
    After I got tried of playing his games, I told him he is going to be reborn as a COW and be slaughter and eaten by his kids. I heard him sputtering as I hung up the phone.
    Have filed a complaint with the IRS and MagicJack {to shut the line down}. In the meantime, I have program my daemon dialer to continually dial this number.
    Have a Nice Day.

  12. Forbes

    I got a call today from Frank Jefferson with the same story directing me to 202 609 7028 to pay $6508. I hope these scammers are shut down soon.

  13. Andy

    Just got one of the scam calls, almost identical to the one described above. # 202 241 7975. I checked it is a magic jack number. They are pretty good. Apart from the fact that I know that the IRS never calls or sends e-mails. I reported it to the IRS for what it worth as well as to Y max the majic jack company.

    A

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>