The IRS phishing scam appears to originate from the United States’ official tax law enforcement body, alerting readers that they’re eligible to a tax refund in the hope of stealing sensitive personal information.
This approach is similar to a recent tax refund scam which targeted Australian tax payers, in what appears to be a growing cyber trend.
Below is an example of the email you should look out for:
As you can see the email appears to be sent from IRS - the scammers have successfully forged the sender address to copy an official IRS domain, firstname.lastname@example.org, by fraudulently sending emails from their registered address.
However, these attempts failed a range of technical SPF email checks, which only allow official IRS emails to be sent from specific server locations, alerting our spam filters to its illegitimacy.
The email’s subject ‘Important Message About Your Tax Refund’ immediately catches the reader’s attention.
A sense of urgency is added by the use of a header within the body email copy – “Attention” – which includes the recipient’s email to personalise the communication.
More vigilant readers might be suspicious of an email that addresses the recipient using their email address, rather than their full name.
This IRS tax refund scam uses sophisticated social engineering techniques to prompt a rapid response from readers, claiming that failure to update their information in time could lead a cancellation in the refund payment.
The scammers encourage readers to verify their identity by clicking on a blue hyperlink contained within the email, where they are then directed to a fake landing page, shown below.
As you can see, the cyber criminals have used a sophisticated website cloning software to copy the IRS’ official website, but closer inspection of the webpage URL should immediately warn readers that this page is illegitimate.
While the scammers have inserted copy at the start of the URL to make it appear to be a legitimate www.irs.gov domain, your internet browser should highlight the website’s true URL address which in this case is Atakumbuderusservisi.org and clearly suspicious.
The page encourages users to click on an additional blue link, “Click Here To Continue And Verify Your Information” to continue with the verification process. Additional information outlining the time taken to receive your refund and the process for chasing up a request, adds further legitimacy to this IRS email scam.
An additional information bar with directions for mobile users to download the IRS app adds a further sense of legitimacy, although this feature within the page doesn’t actually work.
Several of the image buttons on the left-hand column of the page also aren’t in operation and have no destination web address , while the tool bar underneath the main page heading includes inappropriate question marks and randomly-created characters, which you wouldn’t expect from a reputable organisation’s webpage.
Once the user has clicked on the link, they see the below screen:
This IRS phishing scam then encourages readers to fill in a range of personal information, including their full name, address, zipcode, social security number (SSN) and Employer Identification Number (EIN - used for tax purposes), driver license number, email address and email password, which are then captured once the blue “Submit” button has been clicked.
Vigilant users would immediately realise the suspiciousness of a webpage that asks a user for both their email address and email password. You’ll also notice that the wrong format is used for an American date of birth field (DD/MM/YY vs MM/DD/YY).
Users are then redirected to the official IRS homepage, giving the impression that the process has been successfully completed. In the meantime, cyber criminals now have access to range of personal details used to steal the reader’s identity.
They also have full access to the victim’s personal email account, allowing them to steal further confidential information and send new spam campaigns from that address.
Protecting your business from phishing emails
Although this IRS scam is aimed at tax payers, phishing scams can also be designed to syphon confidential business information, including usernames and passwords, which could leave you open to data, reputation and financial loss.
Protection from phishing scams requires two things: prevention and education.
A premium cloud email filter will successfully detect suspicious content by scanning emails against wide spam criteria, blocking phishing emails before they reach your inbox.
Because cloud-based email filters are updated in real-time, you’ll be protected against new phishing scams immediately, without the requirement of an update being downloaded.
The second step is through user education, so it’s important that you encourage staff not to open emails that:
- Appear to be sent from a reputable firm, but are not addressed to them by name and include an urgent call to action
- Take you to a landing page with an unofficial-looking URL
- Include grammatical errors or parts of pages which don’t work properly, but claim to be from a legitimate organisation
- Ask you to submit personal information that they should already have access to, or information which usually wouldn’t be asked for, such as your email password. The IRS maintain that they don’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.
Please share our blog with staff members in order to give them information on how to look out for an attack.
Keep up-to-date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.