Don't Forget to Share this Post

Here's How to Avoid IRS Phishing Scams During Tax Season

By Mary Beth Hamilton | Thursday, February 8th, 2018

As April 17th (US) and April 30th (Canada) near, cyber scammers are pulling out all their tax scams to trick consumers and capitalize on the flurry of activity. Our friends over at Proofpoint say that this time of year, [they have] tracked malware distribution in addition to the customary phishing schemes among the email threats related to federal taxes.

The IRS is also urging people to remember that “the IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. In addition, IRS does not threaten taxpayers with lawsuits, imprisonment or other enforcement action.”

So to help our clients stay vigilant, we’re highlighting some recent phishing tricks and sharing phishing flags every employee should recognize.

IRS Phishing and Malware Scam Examples

Example 1: Malware Distribution

This first example centers on malware delivery and was identified by the Proofpoint1 researchers who analyzed numerous tax/IRS-related phishing emails. In this IRS phishing campaign, the recipient was asked to read the IRS Privacy Policy, which was attached to the email (hint: don’t open unexpected attachments!). With this campaign, once the attachment was opened and the embedded macros where enabled, the macros downloaded malware (Dridex botnet ID 1105).

IRS malware scam email by Proofpoint

Example 2: IRS Phishing Email + Webpage

The next IRS phishing scam example also comes from Proofpoint’s analysts. (Side note, here at Eze Castle we use Proofpoint internally and provide it to our clients.)

Proofpoint says that “tax-themed phishing remained the most popular attack this season. These phishing schemes continue to employ a variety of templates and attack styles and, for the first time, adopted some of the more sophisticated approaches [Proofpoint has] previously observed in Gmail and PayPal phishing schemes.

The following image highlights an email claiming to be from the IRS (note the domain is not a valid US government top-level domain (i.e. .gov).

IRS phishing scam email from Proofpoint

Proofpoint also states that “the attached document “IRS-gov Copyright.html” is a phishing page that sends the personal information collected in the form back to the attacker. The use of HTML attachments rather than links is not a novel approach, but in this case the stolen branding and template used accurately mirror real pages from The email lure, despite some grammatical errors, also effectively uses the stolen IRS branding and imparts a sufficient sense of urgency to encourage users to submit the form.”

Fake IRS website by Proofpoint

Red Flags to Help Avoid Tax Season Phishing & Malware Scams

Phishing attempts can occur via email, phone, instant message, SMS or social media. Here’s what to look out for:

  • Check the sender email address as well as “to” and “cc” fields

  • Is it personalized? Be wary of generic greetings

  • Improper spelling and grammar can be giveaways as well

  • An overwhelming sense of urgency requesting personal information

  • Links! Only click on those that you are expecting (same goes for attachments)

  • Suspicious emails from trusted sources can happen. If your friend/colleague sends a strange message, their account may have been attacked.

Be aware that landing on the wrong website can expose a firm to risks, so be on the lookout for these signs that could signal it is a malicious site:

  • Check for the presence of an address, phone number and/or email contact

  • Check the web address for misspellings, extra words, characters or numbers that seem off or suspicious

  • Roll your mouse pointer over a link to reveal its true destination, displayed in the bottom left corner of your browser

  • If there is NO padlock in the browser window or ‘https://’ at the beginning of the web address to signify that it is using a secure link, do not enter personal information on the site

  • Be wary of websites that request lots of personal information

  • Avoid ‘pharming’ by checking the address in your browser's address bar after you arrive at a website to make sure it matches the address you typed

  • Be wary of websites that are advertised in unsolicited emails from strangers

Simulated phishing attacks, such as those provided with our Eze Managed Phishing and Training Service, expose employees to safe "real-world" phish attacks and actively change an employee's cyber behavior. Learn more HERE.

1Source: Proofpoint's article, "Another Tax Season Brings More Phishing Lures and a Variety of Malware"

Don't Forget to Share this Post

Related Posts

How Can Eze Castle Integration help you?Contact us today!