author photo
By Bruce Sussman
Wed | Nov 11, 2020 | 3:15 AM PST

A credible looking and fake IRS email is hitting tens of thousands of inboxes across the United States.

Did you get one of these emails? Or perhaps something similar that seems like it probably did not come from the Internal Revenue Service?

We'll look at how to tell if emails you get from the IRS are really from hackers and how to report it. However, we'll start with a recent example of an IRS cybercrime scam.

Phishing campaign sends fake IRS emails

It looks like it comes from support@irs.gov (you can see that at the top left), and the email claims that the IRS couldn't reach you by phone so now it's emailing you with a demand for more than $1,400 you supposedly owe in taxes.

Failure to pay, the letter says, will lead to a visit from the sheriff's department and a notification to credit bureaus.

That sounds bad, doesn't it? Ruined credit and a visit from deputies. Now that the letter has you worried, it warns that you must take action quickly:

"The opportunity to take care of this voluntarily is quickly coming to an end... you can email back to the get the payment mode... please let us know what your intention is by today so we can hold your case or else we will submit the paperwork to the local County Sheriff's Department."

Reading something like this should be an instant red flag because cybercriminals love to use fear and urgency in their phishing campaigns. They hope you will take action before you think about it or before you discover the clues that indicate this is a fake and you are being scammed.

Click to expand and read the full email:

fake-irs-email-phishing-example

This email is a phish, sent by cybercriminals trying to trick you into paying them the money. 

Researchers at Abnormal Security tracked this phishing campaign after it reached between 50,000 to 70,000 email accounts, discovering the following items.

How can you check to see if an IRS email is fake?

Security researchers say this attack is extra convincing because the attackers spoofed or imitated a legitimate domain. However, they looked a little deeper to find clues this email is a fake:

"Although the email appears to originate from the domain 'irs.gov', analysis of the email headers reveals that the true sender domain is 'shoesbagsall.com'. Additionally, the 'Reply-To' email is 'legal.cc@outlook.com', which is not associated with the IRS and instead leads directly back to the attacker."

So these are two clues to look for. However, they are certainly not the only ones. Especially because IRS related phishing scams vary tremendously. Some target tax preparers, others target HR and payroll teams or services, and many go after individual tax payers.

What will the IRS email or text about?

What is the biggest problems with an email or text message claiming to come from the IRS with information about a refund, a balance owed, or a request to verify W-2 data?

The IRS will never send these.

"The IRS does not send emails about your tax refund or sensitive financial information," says IRS Commissioner Chuck Rettig.

In fact, on the special IRS page about these types of scams, the agency says this:

"The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts."

And the Internal Revenue Service provides a list of things it will not do. Looking at this list can help you avoid being scammed. The IRS will not:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.
  • Demand that you pay taxes without the opportunity to question or appeal the amount they say you owe. You should also be advised of your rights as a taxpayer.
  • Threaten to bring in local police, immigration officers or other law-enforcement to have you arrested for not paying. The IRS also cannot revoke your driver’s license, business licenses, or immigration status. 

So if you get emails relating to these things, you can be quite confident they are fake.

How can I report fake IRS emails and phishing attacks?

The IRS has several options for reporting IRS related scams, depending on the type of phishing attack you received and whether or not you or your organization fell for it.

For individual phishing emails that you believe are fake:

For W-2 related phishing scams, the IRS suggests the following:
  • If you accidentally gave cybercriminals W-2 information, email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type "W2 Data Loss" so that the email can be routed properly. Do not attach any employee personally identifiable information (PII).
  • Businesses/payroll service providers should file a complaint with the FBI's Internet Crime Complaint Center (IC3.gov). Businesses/payroll service providers may be asked to file a report with their local law enforcement.
  • Notify employees so they may take steps to protect themselves from identity theft. The FTC's www.identitytheft.gov provides general guidance.

The IRS says it initiates most contacts through snail mail, not emailing or texting or phone calls. 

That is something to keep in mind next time an urgent IRS phishing email hits your inbox. 

Comments