MailGuard has intercepted a phishing email impersonating the Internal Revenue Service (IRS), designed to pressure recipients into submitting personal information and connecting a cryptocurrency wallet through a fake digital asset verification portal.
The email claims to come from “IRS Authority” and uses subject lines such as “Digital Asset Transaction Records for Tax Audit” followed by a random five-digit number. The message warns the recipient that the IRS has received information from digital asset brokers showing cryptocurrency transactions that do not match their most recent tax return. It claims that action is required to avoid audit flags, civil penalties, or enforcement proceedings.
The email uses official-looking formatting, references to Form 1099-DA, tax compliance language, and a prominent “Beginning Verification” button to encourage recipients to act quickly. However, the message does not come from the IRS. MailGuard observed the display name “IRS Authority” using the address hello(at)etoilecollective(dot)com(dot)au.
Recipients who click the “Beginning Verification” button are taken to a phishing site that closely imitates the IRS website.
The fake site is designed to appear legitimate, with IRS branding, government-style navigation, and links that appear to point to genuine IRS pages. This is a common tactic used to build trust. By surrounding the malicious pathway with legitimate-looking content, attackers make the page feel more credible.
By comparison, this is what the legitimate IRS website looks like:
Example phishing content shown using IRS branding. Not affiliated with or endorsed by IRS.
The first stage of the scam asks the recipient to provide personal and billing information, including:
• Full name
• Address
• Email address
• Date of birth
• Phone number
The page claims this information is required as part of a “Self-Disclosure of Digital Assets” process.
The second stage asks the recipient to connect a self-custody cryptocurrency wallet through a wallet connection interface. The page claims this is for “read-only access” and states that no transactions will be initiated.
MailGuard observed wallet options including MetaMask, Trust Wallet, Coinbase Wallet, Ledger, Trezor Wallet, Phantom Wallet, OKX Wallet, Rabby Wallet, Uniswap Wallet, Solflare, and Magic Eden.
Example phishing content shown using IRS branding. Not affiliated with or endorsed by IRS.
Further screens show device selection prompts and wallet connection windows.
One screen asks the user to select a recovery phrase type, including 12-word, 18-word, or 24-word recovery phrases.
This is a major red flag. A recovery phrase, also known as a seed phrase, should never be entered into a website or shared with any third party. Anyone who obtains a wallet recovery phrase may be able to take control of the wallet and steal its contents.
This phishing campaign combines several powerful social engineering techniques. It uses the authority of a tax agency, the fear of an audit, the complexity of digital asset reporting, and the urgency of a five-business-day response window to pressure recipients into acting quickly.
The campaign is also carefully designed to feel procedural. Rather than immediately asking for sensitive information, it creates a multi-step verification process that appears to follow a legitimate compliance workflow.
That structure is important. By the time the recipient reaches the wallet connection stage, they may already feel committed to completing the process.
The references to “read-only access” are also deceptive. While the page claims no transactions will be executed, the presence of wallet connection prompts and recovery phrase selection screens suggests the campaign may be designed to steal access to cryptocurrency wallets.
Recipients should be cautious of emails that:
Claim to be from a tax authority but come from an unrelated sender domain.
Use urgent tax audit or penalty language to pressure immediate action.
Ask for personal details through a link in an unsolicited email.
Direct users to domains that are not official government websites.
Ask users to connect a cryptocurrency wallet.
Request or reference wallet recovery phrases.
Legitimate tax agencies do not ask taxpayers to connect cryptocurrency wallets or enter wallet recovery phrases through unsolicited email links.
As digital assets become more common, cybercriminals are adapting their tactics. Many phishing campaigns now target not only passwords and payment details, but also wallet access, seed phrases, and personal identity information that can be used for further fraud.
This campaign demonstrates how attackers combine familiar institutions with emerging financial behaviours. Tax reporting, cryptocurrency ownership, and wallet verification are all complex enough to create uncertainty. Attackers exploit that uncertainty to make unusual requests appear plausible.
Stay Safe, Know the Signs
MailGuard advises all recipients of these emails to delete them immediately without clicking on any links. Responding or providing personal details can lead to identity theft, data breaches, and financial losses.
Avoid emails that:
Many businesses turn to MailGuard after a near miss or incident. Don't wait until it's too late. Reach out to our team for a confidential discussion by emailing expert@mailguard.com.au or calling 1300 30 44 30.
All that it takes to devastate your business is a cleverly worded email message that can steal sensitive user credentials or disrupt your business operations. If scammers can trick one person in your company into clicking on a malicious link or attachment, they can gain access to your data or inflict damage on your business.
For a few dollars per staff member per month, you can protect your business with MailGuard's specialist AI-powered, zero-day email security. Special Ops for when speed matters! Our real-time zero-day, email threat detection amplifies our client’s intelligence, knowledge, security and defence. Talk to a solution consultant at MailGuard today about securing your company's inboxes.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.