Phishing emails from the “IRS” are Back

8211410658?profile=RESIZE_400xIn the US, many people fear the Internal Revenue Service (IRS).  When a US citizen receives any type communication from the IRS, people take notice.  The cyber bad guys know that too and send IRS phishing messages to unwitting US citizens.  In addition to receiving scam voice mails and texts about your Social Security number being at risk, a “credible looking” yet fake, IRS email has been sent to tens of thousands of email inboxes across the US.  The question of authenticity can be explained in one quote, "The IRS does not send emails about your tax refund or sensitive financial information," says the IRS Commissioner.  But hackers continue to send phishing scams capitalizing on the concerns of the pandemic related Economic Impact Payments and the entire international COVID-19 concerns. 

The fake email looks like it came from support@irs.gov, and the email claims that the IRS could not reach you by phone so now it is emailing you with a demand for more than $1,400 you supposedly owe in taxes.  Failure to pay, the letter says, will lead to a visit from the sheriff's department and a notification to credit bureaus.  Per the fraudulent email message, "The opportunity to take care of this voluntarily is quickly coming to an end... you can email back to the get the payment mode... please let us know what your intention is by today so we can hold your case or else we will submit the paperwork to the local county Sheriff's Department."  This is very upsetting to many, who will act on the fake message.

If you get an email like this, it should be an instant red flag because cybercriminals love to use fear and urgency in their phishing campaigns. They hope you will take action before you think about it.  Researchers at Abnormal Security tracked this phishing campaign after it reached between 50,000 to 70,000 email accounts and produced the following findings: this specific campaign is even more convincing, because the attackers spoofed or imitated a legitimate domain.  If a reader takes the time to look closer, one would find clues this email is a fake.  Although the email appears to originate from the domain 'irs.gov', analysis of the email headers reveal that the true sender domain is 'shoesbagsall.com'.  Additionally, the 'Reply-To' email is 'legal.cc@outlook.com', which is not associated with the IRS and instead leads directly back to the attacker.

These are two obvious indicators of fraud, but they are certainly not the only ones.  IRS related phishing scams target different audiences.  Some target tax preparers, others target human resources (HR) and payroll teams or services, and some may be directed to individual tax payers.

What is the biggest problems with an email or text message claiming to come from the IRS with information about a refund, a balance owed, or a request to verify W-2 data?  The IRS will never send email like these.  Ignore them, PERIOD.

If you have any questions about an email that states it is from the IRS, stop reading it and immediately visit:  https://www.irs.gov/privacy-disclosure/report-phishing  Per the link: "The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts."

The Internal Revenue Service provides a list of things it will not do. Looking at this list can help you avoid being scammed. The IRS will not:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.
  • Demand that you pay taxes without the opportunity to question or appeal the amount they say you owe. You should also be advised of your rights as a taxpayer.
  • Threaten to bring in local police, immigration officers or other law-enforcement to have you arrested for not paying. The IRS also cannot revoke your driver’s license, business licenses, or immigration status.
  • If you or a friend/relative, especially a senior citizen receive emails relating to these things, you can be quite confident they are fake.
  • The IRS has several options for reporting IRS related scams, depending on the type of phishing attack you received and whether or not you or your organization fell for it.
  • For individual phishing emails that you believe are fake:
  • Forward the scam or phishing email to phishing@irs.gov.
  • For W-2 related phishing scams, the IRS suggests the following:
  • If you accidentally gave cybercriminals W-2 information, email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type "W2 Data Loss" so that the email can be routed properly. Do not attach any employee personally identifiable information (PII).
  • Businesses/payroll service providers should file a complaint with the FBI's Internet Crime Complaint Center (IC3.gov). Businesses/payroll service providers may be asked to file a report with their local law enforcement.
  • Notify employees so they may take steps to protect themselves from identity theft. The FTC's www.identitytheft.gov provides general guidance.
  • The IRS says it initiates most contacts through USPS mail, not emailing or texting or phone calls. That is important to keep in mind next time an urgent IRS phishing email arrives in your email inbox.

Red Sky Alliance has been analyzing and documenting cyber threats, vulnerabilities and cyber scams for over 9 years and maintains a resource library of malware and cyber actor reports. Malware comes and goes, but often they are dusted off and reappears in current campaigns.

Join our Alliance at:  https://www.redskyalliance.org/      It’s FREE.

Red Sky Alliance is   a   Cyber   Threat   Analysis   and   Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com  

Weekly Cyber Intelligence Briefings: 

https://attendee.gotowebinar.com/register/8782169210544615949

 

 

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!