Home > Blogging, Web > Scam Alert – Now using Income Tax of India

Scam Alert – Now using Income Tax of India

Income Tax Email Subject

Income Tax Government of India emailed me last evening. I assumed this email was a confirmation for the refund I received earlier this year, but no, this was about giving me more, an excess refund of Rs. 36,120.25 accumulated as Tax excess.

This is a scam! This is how..    

Email that landed in my inbox:

Email from Income Tax Dept

First look at the email and you believe this is genuine. It comes from an email registered with incometaxindiafiling.gov.in, professionally written and there is an amount of Rs. 36120.25 (not too high to raise red flags). When I first read I believed it, but being aware of having received any refunds already, I re-read it. Thanks to that, I knew that this was a case of a new con game on the internet.

Generally most scam emails stop here, you click the links on the email and they have your email and everything that they intended to have except your money. These guys however are professionals and have played the long haul in designing this. As a normal user, you should just spam the email and stop right at this step, I however played along just to show you how this scam works!

First, how to detect if this is a scam. There is a small button near the reply button of the email, click on that and it should show you a “Show Original” option.

Click through that and you should see this:

What you are looking for is Received from, or Return Path or sometimes even Reply-to. These are the original email servers that were used to send these emails.  If this email was sent from a genuine email Id, the reply to or return path should have been to another income tax portal email id, on this it is not. However, the smart thing is they do not have a reply-to defined, which means replying to this email will populate the same from email id.  Other scammers use an actual scam email id so that emails (sent blindly without looking at what the to email is) do not bounce back raising red flags.

[ On this email however there is a “via eigbox dot net”. No reason to suspect this, because there are a number of institutions using different mail servers for their email applications, My company uses services of google. You can use Show Original option to also see that this email was sent using eigbox dot net]

If you are unable to identify this as a fraud in this step itself,  you will probably notice it in the next.

See how cleanly it is designed to look just like the Income Tax website of India. If you turned a blind eye on this, you are going to their next step. You should stop as soon as you see the URL, It’s simple as that. If you have doubts whether this is from a genuine URL just google the original link and compare it with this one.

The scammers now want to link you to your bank account to confirm transfer of funds, select a bank: There is a choice of at least 15 banks operating in India with netbanking options. I chose HDFC Bank. The fake URL is still there!

Always be cautious whenever you are logging in to your netbanking account,. Always verify that you are logging in to the correct URL. Usually all banks have one click login to your netbanking page to redirect consumers to correct url’s. Some of my friends have this habit of marking the second page, the actual login page as a favourite. This they tell me is to ensure they always logged in to a genuine website, but if I had access to their computer (even through a network) I can design a website to look just like this and modify their saved favorite to open the fake site.

Most of the times people will fall for it, because this has become some sort of habit! By making it a habit to always enter the url of bank website manually, you are ensuring that you are not logging in to a different website.

HDFC has a two-step login, a user has to enter their customer ID, and the page will load back an image as selected by a user with the favorite message. How many times do we actually check that. To ensure HDFC always gets your attention they have a check box you need to click after verifying the image to login to your account. I havent done this a 100 times, because we are of habit of entering our email id’s followed immediately with a password to login to our email accounts. So it’s always ID first, followed by a Password, which is what these scammers bank upon. Even when I was playing into the scam, I entered a fake ID and password almost immediately to be returned with this:

Yes, they tell you there is an error logging in. So you go back and try again just reconfirming the password!

I do not really have to tell you what they can do after having your login details. You might argue of the inability to transfer funds because of 3D secure access, a middle tier where you need to enter a transfer password to transfer funds. Just to let you know, with your login they have your address, your complete bank information. They can print out statements, use them to get loans credit cards and everything that can be done with a bank statement.

If they can produce a fake website, they can even create fake cheques with your name and account number, pass them on. Whenever there is an investigation the police can come catch you. They could change your banking address, and phone numbers. So all of this would happen without you knowing about it. It’s a high risk affair!

I played along, but you never should. Why? They could have designed a worm that would have been downloaded to your system, sitting on your computer waiting for you to login to something they would need, and because you are connected to the internet it can easily send this information out to the scammers email, without you knowing about it. At this current point I run a risk of being affected by a malware, for which I’m running an antivirus scan. My computer is also protected by the latest antivirus, and notifies anything and everything that gets downloaded.

A malware download is a worst case scenario, they could have scripts on their website to access all the information from the web browser. If you have saved passwords, they could have access to all that information. They are professionals, they could have access to virtually everything if you are unprotected. Money is only a bonus, personal information is really the thing they are after!

The only way to save yourselves from this is to not click anything that suspicious, if you do however find that it is a scam in the next step, close it, spam it and delete it. Always have the antivirus program running the latest versions.

I am going to report this to all the banks, and the IT Department. The IT department seem to have already noticed this and have this to say:

On further research on the email server that sent out this email, I found this on ip-Address.com (I do not say that this information is true, it’s just something I found when I was searching for information on eigbox dot net)

Always remember Money is just a bonus, the scammers are usually after your personal information!

Be safe,


  1. dharani
    November 28, 2011 at 2:38 pm

    Hi kunal,

    Even i got the same mail

  2. LVS
    December 30, 2011 at 9:19 am

    “Always have the antivirus program running the latest versions.” OR switch to Ubuntu ! \m/

  3. February 23, 2012 at 6:25 pm

    Hi Kunal. I had received this same mail today. Somehow felt it could be a scam. So searched the email address, from which the mail came, online and came across your blog among other sites. Thanks a lot for this blog piece. Very informative.

  4. Shikha
    May 16, 2012 at 12:18 am


    I have also received the same e-mail today. I also thought this is for the income tax refund which I should be getting but it was for my personal information. It took me to a page which is exactly same as the ICICI net banking but it was not the ICICI bank page. The page had .br url which shows thats a Brazilian web site.

    Please be very careful before giving your personal information to any site whether it is Income tax or any other banking site.


  5. July 3, 2012 at 10:39 am


    Did you even read the entire post? This is phishing attack and there is no virus on your box. Even on Ubuntu, you can still suffer from phishing attacks. Just wanted to make sure that you are not in dark about Linux, OS X. Every OS is susceptible to phishing attacks. We need to equip ourselves with knowledge to differentiate a real/genuine mail from phishing mails.

  6. Sundar
    August 13, 2012 at 12:29 pm

    What’s the remedy if I’ve given my bank log in ID and password, only to realize it’s a fake mail upon entering into the next window, where it asked for Card No., Transaction password, etc.? I quickly relogged into the bank website and changed both internet password and transaction password. Is this enough or should i be doing something else? Please advise

  7. Alex John
    September 13, 2012 at 6:06 pm

    Friends…even I have received this mail today. Just by seeing the refund amount itself I got suspicious :P. Thanks for this very informative blog…

  8. Laxmi
    November 9, 2012 at 11:59 pm

    I got the email this morning. Since it looked suspicious, i just checked the address of the link. It had a .dk url. So, i promptly deleted it. Your post is detailed and informative. Glad i didn’t click on the link !

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: