Disturbingly Good Phony Email!

It’s tax season, and you expect to receive messages from your accountant about your finances. But, beware!

Scammers trying to get you to click on a link to download evil programs that run on your computer are ready to take advantage of your anxiety over taxes!  Be especially careful of emails that are supposedly from us or other tax preparers.

This weekend we received the first message in a very, very frightening string of emails designed to get us to click on a link to a website where a damaging program awaited us. We did not go to the website. But, if we had, our computer, our online activity, and our contact lists would all have been at the mercy of some sophisticated bad guys.

Here’s what happened to us.

Saturday we received an email from another local CPA.  The message looked like this, except I’ve substituted a pseudonym for the real CPA and used our firm’s email address and contact information instead of hers.

From: Sally Smith [mailto:[email protected]]
Sent: Saturday, March 21, 2015 5:27 PM
Subject: Important document

Please see the attached file for your review.

Thank you,

What we didn’t notice in the email was that the return email address was ssmith@skocap.com and not ssmith@skocpa.com.  But, doesn’t the message look like something your accountant might send you talking about your taxes?

We are suspicious people, so although we knew the CPA who sent us the email, we hadn’t talked to her recently and wondered why she had sent us a link for a document.  We replied to her email and asked her.

Hi Sally,
I wasn’t expecting an email from you. Please let me know if you intended me to get this and what it is.

Galen Workman
Sterck Kulik O’Neill accounting group, inc.

But, remember, the email address had been doctored from [email protected] to [email protected].  So when we replied, our message went to the bad guys.

And, the bad guys responded!

From: Sally Smith [mailto:[email protected]]
Sent: Monday, March 23, 2015 9:26 AM
To: Galen Workman
Subject: Re: FW: Virus?

Not a virus.

Sally Smith, CPA EA

Enrolled to Practice and Represent Taxpayers Before the IRS
150 Post Street, Suite 350 San Francisco, CA  94108
Phone: (415) 433-4500
Fax: (415) 433-4765
E-mail: [email protected]

This time, not only did the bad guys reassure me that their email was “not a virus” they also included Sally’s signature block to make the email look even more legitimate.

The email still smelt bad, so we really looked at it.  This time we noticed that the messages were coming to/from ssmith@skocap.com instead of [email protected].

We called Sally, and she said she knew that her email system had been hacked.  The same message we received went to all of her clients, and she was emailing them about the scam.  When we told her about the reply we got to our emailed question and the slightly different domain name (cap vs. cpa), she was horrified.

The bogus domain name is registered at GoDaddy, just as her legitimate domain name and site. When I looked up the IP address for the bogus domain, the crooks’ website appears to be hosted at GoDaddy, too.  So, the crooks are apparently using a well-known American domain name registrar and hosting service.

Wow!  What guts.

Malware Word CollageProtect Yourself!

  • Don’t open attachments or click on links in emails, unless you’re expecting something from the sender.
  • Verify that email that looks like it’s coming from someone you know, really is coming from someone you know!  Do that by carefully reading the return email address.  And hover your cursor above any links in an email to see where the link is really sending you.

    I can create a link that says www.Google.com, but really sends you somewhere else.  Hover the cursor over the link before clicking to see the real destination.  In an email the real destination appears over the link.  On a webpage like this one, the real destination will appear somewhere discreet, usually at the bottom of your screen.)

When in doubt, don’t click!  Pick up the phone and call the sender!

Leave a Reply

Your email address will not be published. Required fields are marked *