Digital Assets Report


Like this article?

Sign up to our free newsletter

Here’s how to avoid IRS phishing scams during tax season

Related Topics

By Mary Beth Hamilton, Eze Castle Integration – As 17 April (US) and 30 April (Canada) near, cyber scammers are pulling out all their tax scams to trick consumers and capitalise on the flurry of activity. Our friends over at Proofpoint say that this time of year, [they have] tracked malware distribution in addition to the customary phishing schemes among the email threats related to federal taxes.

The IRS is also urging people to remember that “the IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. In addition, IRS does not threaten taxpayers with lawsuits, imprisonment or other enforcement action.”

So to help our clients stay vigilant, we’re highlighting some recent phishing tricks and sharing phishing flags every employee should recognise.

IRS Phishing and Malware Scam Examples

Example 1: Malware Distribution

This first example centres on malware delivery and was identified by the Proofpoint researchers who analysed numerous tax/IRS-related phishing emails. In this IRS phishing campaign, the recipient was asked to read the IRS Privacy Policy, which was attached to the email (hint: don’t open unexpected attachments!). With this campaign, once the attachment was opened and the embedded macros where enabled, the macros downloaded malware (Dridex botnet ID 1105).

Example 2: IRS Phishing Email & Webpage

The next IRS phishing scam example also comes from Proofpoint’s analysts. (Side note, here at Eze Castle we use Proofpoint internally and provide it to our clients.)

Proofpoint says that “tax-themed phishing remained the most popular attack this season. These phishing schemes continue to employ a variety of templates and attack styles and, for the first time, adopted some of the more sophisticated approaches [Proofpoint has] previously observed in Gmail and PayPal phishing schemes.

The email claimed to be from the IRS, but the domain was not a valid US government top-level domain (ie .gov).

Proofpoint also states that “the attached document “IRS-gov Copyright.html” is a phishing page that sends the personal information collected in the form back to the attacker. The use of HTML attachments rather than links is not a novel approach, but in this case the stolen branding and template used accurately mirror real pages from The email lure, despite some grammatical errors, also effectively uses the stolen IRS branding and imparts a sufficient sense of urgency to encourage users to submit the form.”

Red flags to help avoid tax season phishing & malware scams

Phishing attempts can occur via email, phone, instant message, SMS or social media. Here’s what to look out for:

• Check the sender email address as well as “to” and “cc” fields
• Is it personalized? Be wary of generic greetings
• Improper spelling and grammar can be giveaways as well
• An overwhelming sense of urgency requesting personal information
• Links! Only click on those that you are expecting (same goes for attachments)
• Suspicious emails from trusted sources can happen. If your friend/colleague sends a strange message, their account may have been attacked.

Be aware that landing on the wrong website can expose a firm to risks, so be on the lookout for these signs that could signal it is a malicious site:

• Check for the presence of an address, phone number and/or email contact
• Check the web address for misspellings, extra words, characters or numbers that seem off or suspicious
• Roll your mouse pointer over a link to reveal its true destination, displayed in the bottom left corner of your browser
• If there is NO padlock in the browser window or ‘https://’ at the beginning of the web address to signify that it is using a secure link, do not enter personal information on the site
• Be wary of websites that request lots of personal information
• Avoid ‘pharming’ by checking the address in your browser’s address bar after you arrive at a website to make sure it matches the address you typed
• Be wary of websites that are advertised in unsolicited emails from strangers

Simulated phishing attacks, such as those provided with our Eze Managed Phishing and Training Service, expose employees to safe “real-world” phish attacks and actively change an employee’s cyber behaviour. Learn more HERE.

Like this article? Sign up to our free newsletter

Most Popular

Further Reading