IRS Impersonation Attacks Spread Malware Nationwide

tax fraud and scams

The emails are well-crafted and extremely convincing.

The Internal Revenue Service (IRS) is warning taxpayers about a snowballing email attack that uses messages pretending to be legitimate IRS communications. The end game for the effort is malware being installed on unsuspecting users’ machines; imposters may gain control of the taxpayer’s computer or secretly download software that tracks every keystroke, eventually giving them passwords to sensitive accounts, such as financial accounts.

The gambit starts with messages to taxpayers from email addresses that spoof legitimate IRS addresses. The emails contain a link to a spoofed website that displays fake details about the targeted recipient’s tax refund, return or account.

The fake emails have subject lines like “Automatic Income Tax Reminder” or “Electronic Tax Return Reminder.” They claim to contain a “temporary password” or “one-time password” to access the files purportedly needed to submit a request for a refund or for information. However, those files are actually just malware in disguise.

“The emails instruct the recipient to access their refund information by entering a provided password on the spoofed website,” the Cybersecurity and Infrastructure Security Agency (CISA) said in an alert issued Friday. “By entering the password, the victim unintentionally downloads malware that could enable the malicious cyber actors to take control of the affected system or obtain sensitive information.”

The impersonation scam campaign is spreading nationally, according to the IRS. The fraudsters behind it are using dozens of compromised websites and web addresses that pose as, making it “a challenge to shut down,” according to the IRS. The attacks are working, despite the fact that it’s outside of traditional tax season for most Americans.

“This latest scheme is yet another reminder that tax scams are a year-round business for thieves. We urge you to be on guard at all times,” said IRS Commissioner Chuck Rettig, in a statement.

Consumers can avoid issues by remembering that the IRS still favors snail mail.

“The IRS would never call or email directly asking for personal information online. It is best to always ignore suspicious calls and emails and reach out to organizations, like the IRS, directly if there are any questions,” Chris Morales, head of security analytics at Vectra, told Threatpost. “A risk is malware attacks from links and attachments that can compromise your local system to gain access to sensitive information.”

Joseph Carson, head of global strategic alliances at Thycotic, told Threatpost that the emails are so authentic looking it is difficult for consumers to tell the difference from the real thing.

“These scams arrive via email in your inbox at exactly the right time,” he said. “All signs show that the email came from the IRS, it has your name on the email, the antivirus did not detect anything and it did not go to the spam filter. Therefore, it must be the real thing.”

There are several protection steps that consumers can take, he added.

“The quickest is to develop better cybersecurity hygiene by educating consumers on ways to detect email scams,” Carson noted. “Another way to stop and prevent such scams is to use a good email spam filter that will help ensure such email scams do not make it to the email inbox.”

Interested in more on the internet of things (IoT)? Don’t miss our free Threatpost webinar, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.


Suggested articles