Natwar Sharma, 42, a Delhi-based salaried person was waiting to get his tax refund from the income tax department based on the return filed for the assessment year 2017-18. When he received an email from email@example.com seeking some financial details to process his tax refund, he didn’t suspect anything. The email asked him to click the link to process the refund. After providing some of the details requested—such as name, Permanent Account Number and bank details—he grew suspicious when the link asked for details of his credit card. Sharma decided to consult a friend. His friend recognized the email address of the email to be fake, and warned Sharma not to disclose or share any information. Sharma was saved from falling for a phishing fraud—a scam in which the fraudster tried to extract critical information by posing as a trustworthy entity.
Sharma’s is not an isolated case. More worryingly, not all such potential victims have the ability, or access to friends who can detect such scams. Many end up falling prey. And losses can be in the nature of identity theft and even outright financial loss.
The government’s initiative to make all the tax-related procedures online has benefitted taxpayers a lot. There has been a huge increase in the number of registered users on the income tax website in last few years. However, many of these registered users are not conversant with the online system; making them vulnerable to fraudsters. It is therefore necessary that all taxpayers should be able to detect fraudulent communication pretending to be from the income-tax department.
It is difficult to detect fraud emails. Usually, their email and domain names mimic those of genuine emails sent by income tax authorities. Even the content and look and feel of these emails is similar to those of actual communication from the tax department. The webpages to which these emails direct their prey potential victims to, also look dangerously similar to the real thing.
However, one should understand that typically emails sent by the income tax department are system generated and you are not required to reply to them. Moreover, the tax department does not seek any information from a taxpayer—like username, password, and details of debit and credit cards—over email. If an email wants you to send over this information, treat it with suspicion and do not send any information to it. Emails from tax department always warn you that the department will not ask for information of this kind.
“A taxpayer should understand that the income-tax department would communicate with taxpayers only for specific purposes, such as: asking the taxpayer to file the return or to ask queries in respect of return already filed or informing that the return has been processed resulting in a refund or a demand," said Suraj Nangia, partner, Nangia & Co. LLP, a charted accountancy firm. In any of these scenarios, the tax department will not request detailed personal information, because it already has your bank details, which were filed in the income tax return, added Nangia.
Typically, the income tax department’s email are in form of intimations and the email address would be: firstname.lastname@example.org or email@example.com. Even if the department asks you to respond through intimation, you will be asked to login to your e-filing account on the income tax e-filing website www.incometaxindiaefiling.gov.in, instead of giving you any link to click in an email. If an email asks you to respond by clicking on a link, it is very likely to be a fraud email. To be sure, “Check the details of the sender," said Saket Modi, chief executive officer and co-founder, Lucideus, a Delhi-based information technology risk assessment and digital security services provider. For instance, if you have received the email in your Gmail account, open the email, next to the reply button, choose the option “Show originals" from the drop down list. Once you do so, you will be able to see information like sender’s email ID, originating server name and server ID. It will help you to identify whether it is a fraud email or genuine, explained Modi. A genuine intimation email from the Central Processing Center (CPC) of income tax department will mostly have the IP address as 188.8.131.52.
“If you get a suspicious email that asks you for personal or financial information, be cautious, avoid replying or clicking on any links in the message," said Modi. Such emails can also harm your laptop or mobile that you are using. If you receive and identify a fraud email claiming to be from the income tax department, then “without heeding to it, you should forward the email or website URL to firstname.lastname@example.org. A copy may also be forwarded to email@example.com," said Amit Maheshwari, partner, Ashok Maheshwary & Associates LLP. After you do so, keep a print out of the email for your record and delete it from your email account.
What should you do if you were unable to identify a fraud email and ended up sharing some information or were duped into making a payment? Once you realize your mistake, apart from intimating the income tax department, you should also intimate your bank. “Immediately notify the bank, giving details of the amount debited, asking it to block your card and bank account to avoid any further damage," said Nangia. If required, “Report the matter to police," suggested Maheshwari.
However, once you have made any payment through links provided in such emails “it is very complicated and difficult to trace the fraudster, thought it is not impossible," said Modi. So, a person should take utmost care. “Learning to recognize phishing emails is the key to avoid phishing frauds," said Nangia. Besides that, “One has to be habitually suspicious of any email with urgent or desperate requests for personal financial information," added Nangia.
In its advice to taxpayers, the income tax department suggests that one should take precautionary measures like using good anti-virus software, anti-spyware, and a firewall; and keep them updated. Some phishing emails contain software that can harm your computer or track your activities on the internet without your knowledge. Anti-virus and anti-spyware software and firewall can protect you from inadvertently accepting such unwanted files.