It was inevitable, and now it’s “official”: the 2008 Economic Stimulus Payment is the new Nigerian scam.

A few of my clients this week reported receiving one or more phishing emails about the 2008 Economic Stimulus Payment from the US government. Then I received one myself this morning. (”Gee, how could the IRS possibly know I switched email addresses?” was my first thought.) Here’s the email I received:

Don’t click on the link.  Don’t click on the link.
The rule is worth repeating.  Practice safe Internet computing — don’t click on a link in an email seeming to come from your bank, eBay, PayPal, or your federal government about your “account details” or to “apply” for something. Go to the official site and do your business starting from there (or investigate or report the phishing email, from there).

The grammatical and formatting errors which allow users to identify phishing scams are becoming much more subtle as the phishes and the phishers themselves become more refined. Note to Phish-Dude: there are some big issues in your general approach here. It is generally a tip-off to us where the federal government uses an exclamation (”!”) point at the end of any communication. We’re just not that officially enthusiastic about anything here in the U.S. Also, while I personally consider the stimulus payment to be a kind of ‘moral refund’ for putting up with the last 8 years of government, the payment is technically not a refund, but a disbursement. (Readers are welcome to offer other grammar and spelling observations and feedback in the Comment section.)

Clicking through (don’t click on the link!) redirects the email recipient to the following page:

While you don’t have to, I frequently amuse myself by picking the IP address out of the email link (my email program, Thunderbird, allows me to right-click and copy a link). Phishing scam emails have URL links that almost always show an IP address rather than text, as this one did:

http://211.32.47.11:443/irs_redi/

When I went to DomainTools and did a reverse IP search on the 11.32.47.11 IP address, it came back “unknown”. Finally, I also note: Thunderbird and Firefox (my recommended email and web browser software of choice) both tried to warn me several times that the email and the website were a scam. Ignoring all of this “Danger, Danger, Will Robinson!” and directing yourself straight into harm’s way is possible, but much less likely with these than it is with other software.

Introducing the PHISHY: Arborlaw’s new annual award for phishing and other email scams
Is there an annual award for phishing campaigns? I couldn’t find one, so I’m announcing the Arborlaw PHISHY™ Award. You can document your submissions for the Best Phishing Attempt of 2008 in a comment here: Arborlaw 2008 PHISHY™ Awards — Submissions Page.