With growing dependence on the cyber world, there has been continuous rise in the number of cyber crimes as well. Cyber criminals are continuously adopting new and modern tricks to cheat innocent citizens. One of them is to use Income tax refunds as pretext to earn trust of the potential victim before executing their nefarious design.
In Income tax related frauds, fraudulent calls, emails and text messages play a crucial role.
Income Tax Refund Related Fraud Messages:
Most income tax refund fraud calls, start with simple questions like verification of name, address, bank account etc details. These questions are often meant to guage whether the person being contacted is too naïve to become a victim.
In case of messages, sense of urgency is created by asking people to get Income tax returns before the last date. They have a catchy subject line, followed by a link. As soon as you click on the link, it directs you to a phishing website.
The website seeks several sensitive personal information including bank account, Aadhar and PAN card number etc. These information are then used to cause wrongful loss. Worse, your confidential information is often passed onto other fraudsters as well.
Income Tax Department Warning:
The Income tax department has already issued several warnings in this regard. The advisory includes not opening any such email or SMS. Also, attachments from these malicious emails are often laden with malwares, therefore never download them. The links provided in these emails and messages redirects to fake or phishing websites, meant to loot people. Therefore, don’t click on them especially if the link has been created using URL shortner services like Bitly.
According to cyber experts, through data brokering (data purchases) or from insider sources, these fraudsters collect details of individuals who are worried about their Income Tax refunds or have filed Income Tax returns with errors. Later on, these individuals are targeted for higher level of success.
How Fraud Operates:
After the Income tax return filling gets over, taxpayers start receiving tax refunds in their bank accounts. Cyber criminals then start taking advantage of unsuspecting users through fraudulent SMS, calls and emails.
Consider an example:
"Alert! Dear Mr ABC, click on the link below to submit a formal request for payment of your unclaimed and overdue tax refund of Rs xxxx. Link: http://151.80.90.xy/ITRefund”.
Many users fall in their trap and consider this to be authentic SMS sent by the Income tax department for Income tax refund. As they click on the link, they are directed to fraudulent website in the control of criminals. Once the user enters the credit card details followed by OTP to receive the refund, money gets debited instead of getting credited.
Therefore, you should not click on any such link or any other link which facilitates filing of ITR or gives refund. You can read in detail on the official website of - https://www.incometaxindia.gov.in/Pages/report-phishing.aspx…
You should directly visit the Income tax official website for any information you need. You can get true and accurate information only from official website, simply by logging in with your ID and password. No other website can ever provide you as accurate information as the official website.
How to Identify Fake SMS:
The Income tax department has time and again clarified that it does not request personal information like password, M-PIN, OTPs through email. Therefore any email seeking personal sensitive information is a fraudulent one!
If you click on the link sent by cyber criminals, you might be asked to submit sensitive information like username, password and credit card details. The website shall appear almost identical as the original Income tax department website, but will always its URL different from the genuine one.
What if you Receive Fraudulent SMS/ Email?
Additionally, to check your Income tax status, you should log-into the official Income tax website - https://www.incometaxindiaefiling.gov.in/. Also you should report such doubtful emails and SMS at firstname.lastname@example.org and email@example.com. You may also forward the message as received or provide the internet header of the email as it helps to locate the sender.
Steps Income Tax Department has Undertaken:
The Income Tax Department has been at the forefront of using technology in implementing its – e-Governance initiatives. Most of its routine communication to taxpayers is through email and SMS. Therefore, the Department is very sensitive and alert to attempts made by fraudsters to spoof the Department’s identity to send phishing emails. To ensure that taxpayers are aware that the Department does not seek any confidential or financial information of the taxpayer over email, the below mentioned advisory has been prominently displayed on the national website:
“The Income Tax Department NEVER asks for your PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts through e-mail.
The Income Tax Department appeals to taxpayers NOT to respond to such e-mails and NOT to share information relating to their credit card, bank and other financial accounts.”
The Do’s and Don’t’s to ensure that the gullible taxpayers do not inadvertently play into the hands of fraudsters are clearly mentioned on the website: http://www.incometaxindia.gov.in/Pages/report-phishing.aspx. All taxpayer reports of phishing emails are forwarded to firstname.lastname@example.org which is a Government of India agency mandated to fight against such threats.
Further, the Department has implemented best practices such as SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting & Conformance) for its email domains. Use of these protocols enables the e-mail receiver domains such as Gmail, Yahoo, Hotmail etc to determine whether or not a received e-mail is actually from the defined sender such as the Department and block phishing emails from reaching the taxpayer.
Taxpayers are advised to follow these simple checks if they do receive any email purporting to be from the Income Tax Department:
Income Tax Department is committed to encouraging taxpayers to engage with it electronically by following safe and best practices.
Since this fraud invariably involves fake websites, here are some of the steps to prevent being victims of phishing attacks:
1. Check the URL:
Checking the URL of the site is the only foolproof way to prevent phishing attacks. A fraudulent site may have look and feel similar to the real site, but it can never have the same URL as the original site. Thus, a phishing page will always have some deviation from the corresponding real page URL. Always check the spelling of the URL in the email links, before clicking or entering sensitive personal information.
2. Grammar and Punctuation Checks:
Professionals ensure that the emails contain no errors especially subject verb agreement issues, punctuation, spelling errors etc. So, if an email contains poor grammar, punctuation or shows an illogical flow of content then most likely it has written by an inexperienced scammer for fraudulent purposes.
3. Seeking Personal Information:
Reputed sites never ask for confidential information through emails. Any emails asking to enter or to verify personal or bank details such as credit card information is most likely to be a phishing email.
4. Alarming Content – Warnings, Deadlines etc.:
Phishing messages are entirely based on social engineering attacks. Hackers often send alarming messages like your account has been hacked, your account is expiring, enter card details or account will be frozen etc. to put you in panic mode. Such messages are meant to create a sense of urgency to force users to take immediate action, not in their best interests.
5. Offering Large Financial Rewards:
Such phishing attacks claim that you have won a lottery that you might not even have participated in, won large prize money in a contest that you have never enrolled for etc. The intention is to redirect you to a phishing site to harvest login credential or financial information.
6. Watch Out for Shortened Links:
Shortened links hide the website’s real name and hence, are frequently used by scammers. Using shorted links, hackers redirect the victim to fraudulent websites to capture sensitive information. Sites like CheckShortURL should be used to find the expanded URL and thus the original site you are being redirected to.
7. Beware of Pop-ups:
Reputed sites rarely ask users to enter personal or financial information in pop-ups. So, as a rule no such information should be entered in pop-ups even if it’s SSL enabled. This is because, by using iframe technology, hackers can use pop-ups to capture personal information.
2FA adds an extra verification layer while logging into sensitive applications. With 2FA, even with the login details compromised, the account cannot be breached. As, the hackers would require the code sent to the linked number or the code generated by the Google Authenticator to log into the account.
What if You Already Have Become its Victim?
If you have already become a victim of Income tax refund fraud, you should immediately lodge an FIR with the local police station, having jurisdiction over your area or at the nearest district cyber cell/ state cyber cell.
Based on the facts and circumstances of the case, Section 419 or Section 420 IPC can be slapped on the case. The Sections have been reproduced below.
Section 419: Punishment for cheating by personation: Whoever cheats by personation shall be punished with imprisonment of either description for a term which may extend to three years, or with fine, or with both.
Section 420: Cheating and dishonestly inducing delivery of property: Whoever cheats and thereby dishonestly induces the person deceived to deliver any property to any person, or to make, alter or destroy the whole or any part of a valuable security, or anything which is signed or sealed, and which is capable of being converted into a valuable security, shall be punished with imprisonment of either description for a term which may extend to seven years, and shall also be liable to fine.
Similarly, following Sections of the Information Technology may also have bearing on such Income tax return frauds:
Section 66C: Punishment for identity theft: Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to rupees one lakh.
Section 66D: Punishment for cheating by personation by using computer resource: Whoever, by means of any communication device or computer resource cheats by personation, shall be punished with imprisonment of either description for a term which may extend to three years and shall also be liable to fine which may extend to one lakh rupees.
Will Banks Refund Money in Case of Income Tax Refund Scams?
If the victim has willingly transferred money into the fraudster’s account or shared OTP/M-PIN willingly, he/ she will have to bear the entire loss until reports the unauthorized transaction to the bank. However, any loss occurring after the reporting of the unauthorized transaction shall be borne by the bank concerned.
The above conclusion can be drawn on the basis above RBI notification:
Money refund in case of un-authorized electronic banking transactions is governed by RBI circular dated July 06, 2017.
The bank’s (All scheduled commercial banks, Small finance bank and Payment Banks) liability in case of Unauthorized Electronic Banking Transactions is governed by RBI circular - RBI/2017-18/15, DBR.No.Leg.BC.78/09.07.005/2017-18 dated July 06, 2017.
Limited Liablity of a Customer:
1. Zero Liability of a Customer
A customer’s entitlement to zero liability shall arise where the unauthorized transaction occurs in the following events:
2. Limited Liability of a Customer:
A customer shall be liable for the loss occurring due to unauthorized transactions in the following cases:
Cyber frauds in name of Income tax refund has been going on now for several years now. Honest tax payers are being fleeced in name of Income tax refund. If you receive a call, email or message about income tax refund, be cautious as it can be precursor to frauds.
You must always keep in mind that Income tax department never demands sensitive information like One Time Password (OTPs), UPI PIN etc. Similarly, IT department officials never ask individuals to download and install applications like Team Viewer, Quick Support, Any Desk etc.