Income Tax Refund Fraud in India & How to Prevent

Income Tax Refund Fraud in India & How to Prevent

Income Tax Refund Fraud in India & How to Prevent:

With growing dependence on the cyber world, there has been continuous rise in the number of cyber crimes as well. Cyber criminals are continuously adopting new and modern tricks to cheat innocent citizens. One of them is to use Income tax refunds as pretext to earn trust of the potential victim before executing their nefarious design. 

In Income tax related frauds, fraudulent calls, emails and text messages play a crucial role.  

Income Tax Refund Related Fraud Messages:
Most income tax refund fraud calls, start with simple questions like verification of name, address, bank account etc details. These questions are often meant to guage whether the person being contacted is too naïve to become a victim. 

In case of messages, sense of urgency is created by asking people to get Income tax returns before the last date. They have a catchy subject line, followed by a link. As soon as you click on the link, it directs you to a phishing website.

The website seeks several sensitive personal information including bank account, Aadhar and PAN card number etc. These information are then used to cause wrongful loss. Worse, your confidential information is often passed onto other fraudsters as well. 

Income Tax Department Warning:
The Income tax department has already issued several warnings in this regard. The advisory includes not opening any such email or SMS. Also, attachments from these malicious emails are often laden with malwares, therefore never download them. The links provided in these emails and messages redirects to fake or phishing websites, meant to loot people. Therefore, don’t click on them especially if the link has been created using URL shortner services like Bitly.   

According to cyber experts, through data brokering (data purchases) or from insider sources, these fraudsters collect details of individuals who are worried about their Income Tax refunds or have filed Income Tax returns with errors. Later on, these individuals are targeted for higher level of success. 

How Fraud Operates:
After the Income tax return filling gets over, taxpayers start receiving tax refunds in their bank accounts. Cyber criminals then start taking advantage of unsuspecting users through fraudulent SMS, calls and emails. 

Consider an example:
"Alert! Dear Mr ABC, click on the link below to submit a formal request for payment of your unclaimed and overdue tax refund of Rs xxxx. Link: http://151.80.90.xy/ITRefund”.

Many users fall in their trap and consider this to be authentic SMS sent by the Income tax department for Income tax refund. As they click on the link, they are directed to fraudulent website in the control of criminals. Once the user enters the credit card details followed by OTP to receive the refund, money gets debited instead of getting credited. 

Therefore, you should not click on any such link or any other link which facilitates filing of ITR or gives refund. You can read in detail on the official website of - https://www.incometaxindia.gov.in/Pages/report-phishing.aspx

You should directly visit the Income tax official website for any information you need. You can get true and accurate information only from official website, simply by logging in with your ID and password. No other website can ever provide you as accurate information as the official website. 

How to Identify Fake SMS:
The Income tax department has time and again clarified that it does not request personal information like password, M-PIN, OTPs through email. Therefore any email seeking personal sensitive information is a fraudulent one! 

If you click on the link sent by cyber criminals, you might be asked to submit sensitive information like username, password and credit card details. The website shall appear almost identical as the original Income tax department website, but will always its URL different from the genuine one.  

What if you Receive Fraudulent SMS/ Email?

  • If you receive such fraudulent communication, never reply to it. 
  • Don’t open any attachment in such emails, as they may contain malicious payloads which may compromise your device.  
  • Don’t click on any links mentioned in SMS/ email. If you click on such links do not enter confidential information like card details, bank account related information etc. 

Additionally, to check your Income tax status, you should log-into the official Income tax website - https://www.incometaxindiaefiling.gov.in/. Also you should report such doubtful emails and SMS at webmanager@incometax.gov.in and incident@cert-in.org.in. You may also forward the message as received or provide the internet header of the email as it helps to locate the sender. 

Steps Income Tax Department has Undertaken:
The Income Tax Department has been at the forefront of using technology in implementing its – e-Governance initiatives. Most of its routine communication to taxpayers is through email and SMS. Therefore, the Department is very sensitive and alert to attempts made by fraudsters to spoof the Department’s identity to send phishing emails. To ensure that taxpayers are aware that the Department does not seek any confidential or financial information of the taxpayer over email, the below mentioned advisory has been prominently displayed on the national website: 

“The Income Tax Department NEVER asks for your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts through e-mail. 

The Income Tax Department appeals to taxpayers NOT to respond to such e-mails and NOT to share information relating to their credit card, bank and other financial accounts.” 

The Do’s and Don’t’s to ensure that the gullible taxpayers do not inadvertently play into the hands of fraudsters are clearly mentioned on the website: http://www.incometaxindia.gov.in/Pages/report-phishing.aspx. All taxpayer reports of phishing emails are forwarded to incident@cert-in.org.in which is a Government of India agency mandated to fight against such threats. 

Further, the Department has implemented best practices such as SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for its email domains. Use of these protocols enables the e-mail receiver domains such as Gmail, Yahoo, Hotmail etc to determine whether or not a received e-mail is actually from the defined sender such as the Department and block phishing emails from reaching the taxpayer. 

Taxpayers are advised to follow these simple checks if they do receive any email purporting to be from the Income Tax Department: 

  • Check for the domain name carefully. Fake emails will have misspelt or incorrect sounding variants of websites of the Income Tax Department. 
  • Check the message header – for example in Gmail it can be viewed by selecting the option ‘Show Original’. 
  • Do not open such emails in spam or junk folder and do not reply to such emails. 
  • Do not open any attachments. Attachments may contain malicious code. 
  • Do not click on any links. Even if you have clicked on links inadvertently in a suspicious e-mail or phishing website then do not enter confidential information like bank account, credit card details. 
  • Do not cut and paste the link from the message into your browsers. 
  • Forward the phishing emails to incident@cert-in.org.in with a request to examine and block the sender. 
  • Use anti-virus software, anti spyware, and a firewall and keep them updated. 

Income Tax Department is committed to encouraging taxpayers to engage with it electronically by following safe and best practices.

Precautions:
Since this fraud invariably involves fake websites, here are some of the steps to prevent being victims of phishing attacks:

1. Check the URL: 
Checking the URL of the site is the only foolproof way to prevent phishing attacks. A fraudulent site may have look and feel similar to the real site, but it can never have the same URL as the original site. Thus, a phishing page will always have some deviation from the corresponding real page URL. Always check the spelling of the URL in the email links, before clicking or entering sensitive personal information. 

2. Grammar and Punctuation Checks:
Professionals ensure that the emails contain no errors especially subject verb agreement issues, punctuation, spelling errors etc. So, if an email contains poor grammar, punctuation or shows an illogical flow of content then most likely it has written by an inexperienced scammer for fraudulent purposes. 

3. Seeking Personal Information:
Reputed sites never ask for confidential information through emails. Any emails asking to enter or to verify personal or bank details such as credit card information is most likely to be a phishing email. 

4. Alarming Content – Warnings, Deadlines etc.:
Phishing messages are entirely based on social engineering attacks. Hackers often send alarming messages like your account has been hacked, your account is expiring, enter card details or account will be frozen etc. to put you in panic mode. Such messages are meant to create a sense of urgency to force users to take immediate action, not in their best interests. 

5. Offering Large Financial Rewards:
Such phishing attacks claim that you have won a lottery that you might not even have participated in, won large prize money in a contest that you have never enrolled for etc. The intention is to redirect you to a phishing site to harvest login credential or financial information. 

6. Watch Out for Shortened Links:
Shortened links hide the website’s real name and hence, are frequently used by scammers. Using shorted links, hackers redirect the victim to fraudulent websites to capture sensitive information. Sites like CheckShortURL should be used to find the expanded URL and thus the original site you are being redirected to. 

7. Beware of Pop-ups:
Reputed sites rarely ask users to enter personal or financial information in pop-ups. So, as a rule no such information should be entered in pop-ups even if it’s SSL enabled. This is because, by using iframe technology, hackers can use pop-ups to capture personal information.  

8. 2FA: 
2FA adds an extra verification layer while logging into sensitive applications. With 2FA, even with the login details compromised, the account cannot be breached. As, the hackers would require the code sent to the linked number or the code generated by the Google Authenticator to log into the account.  

Other Precautions: 

  • If an email looks suspicious, contact the source with a new mail, rather than hitting reply. 
  • Don’t post personal information like birthday, future plans, phone number, email ID etc on social media sites.
  • Do not re-use passwords for multiple application and change passwords at regular intervals. 
  • Check whether your email and password has already been compromised in a previous data breach, using websites such as https://haveibeenpwned.com 

What if You Already Have Become its Victim?
If you have already become a victim of Income tax refund fraud, you should immediately lodge an FIR with the local police station, having jurisdiction over your area or at the nearest district cyber cell/ state cyber cell. 

Based on the facts and circumstances of the case, Section 419 or Section 420 IPC can be slapped on the case. The Sections have been reproduced below. 

Section 419: Punishment for cheating by personation: Whoever cheats by personation shall be punished with imprisonment of either description for a term which may extend to three years, or with fine, or with both.

Section 420: Cheating and dishonestly inducing delivery of property: Whoever cheats and thereby dishonestly induces the person deceived to deliver any property to any person, or to make, alter or destroy the whole or any part of a valuable security, or anything which is signed or sealed, and which is capable of being converted into a valuable security, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.

Similarly, following Sections of the Information Technology may also have bearing on such Income tax return frauds:

Section 66C: Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh. 

Section 66D: Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.

Will Banks Refund Money in Case of Income Tax Refund Scams?
If the victim has willingly transferred money into the fraudster’s account or shared OTP/M-PIN willingly, he/ she will have to bear the entire loss until reports the unauthorized transaction to the bank. However, any loss occurring after the reporting of the unauthorized transaction shall be borne by the bank concerned.

The above conclusion can be drawn on the basis above RBI notification: 
Money refund in case of un-authorized electronic banking transactions is governed by RBI circular dated July 06, 2017. 

RBI Notification:
The bank’s (All scheduled commercial banks, Small finance bank and Payment Banks) liability in case of Unauthorized Electronic Banking Transactions is governed by RBI circular - RBI/2017-18/15, DBR.No.Leg.BC.78/09.07.005/2017-18 dated July 06, 2017. 

Limited Liablity of a Customer:
1. Zero Liability of a Customer
A customer’s entitlement to zero liability shall arise where the unauthorized transaction occurs in the following events:

  • Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
  • Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding the unauthorized transaction.

2. Limited Liability of a Customer:
A customer shall be liable for the loss occurring due to unauthorized transactions in the following cases:

  • In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorized transaction to the bank. Any loss occurring after the reporting of the unauthorized transaction shall be borne by the bank.
  • In cases where the responsibility for the Unauthorized electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working days after receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table, whichever is lower.

Conclusion:
Cyber frauds in name of Income tax refund has been going on now for several years now. Honest tax payers are being fleeced in name of Income tax refund. If you receive a call, email or message about income tax refund, be cautious as it can be precursor to frauds. 

You must always keep in mind that Income tax department never demands sensitive information like One Time Password (OTPs), UPI PIN etc. Similarly, IT department officials never ask individuals to download and install applications like Team Viewer, Quick Support, Any Desk etc.