A recent phishing campaign has been discovered that deceived the US Internal Revenue Service (IRS) and tells recipients that their are facing immediate legal action to take back a huge tax repayment. These emails are expertly written and demand immediate payment of to prevent stop legal action. The sender claims to have attempted to call the recipient to no avail and have been forced to take legal action.

Compared to other scams, that ask for login credentials or attempt to get the user to open file attachments to trigger a malware download, this particular attack utilised social engineering techniques to frighten the receiver into making contact by email to resolve this supposed issue. This aim of the scam is to get the recipient to send money or share their financial account information.

These scammers have purposely left out any hyperlinks or attachments to increase the chances of it making to inboxes and deceiving anti spam devices. The message body contains all the classic hallmarks of a phishing scam:

  • There is urgency to get prompt action taken – Immediate resolution of the issue is necessary
  • There is a threat of negative consequences if no action is taken – Legal action to recover funds
  • The request is plausible, but an atypical request is made – to only make contact via email

The emails include a case file number, detail the outstanding amount – $1460.61 in this case – and include a docket number and warrant ID for the impending legal action. The receiver is told that legal action will being within four days if payment is not made in that time. The opportunity for voluntary action to fix this issue is coming to and end. Adding to the threat of legal action, the recipient is told that credit reference bureaus may also be notified about this false late/missed payment, negatively impacting their credit score.

These emails have the subject line “Re: Re: Case ID#ON/7722 / WARRANT FOR YOUR ARREST,” which indicates that this is not the first time this message has been sent; emphasising this is a ‘final warning’

These phishing emails highlight the vitality of stopping and thinking of what any email is asking you to do before responding – no matter how dangerous the threat might be. Any and all requests for payments should be verified over phone with contact info being received by a trusted source. A call to the IRS would quickly dissolve this scam.

Precautions have been made to make the emails seem more legitimate, such as making it seem the sender has @irs.gov as its address – a legitimate domain used by the IRS. However the reply to email address supplied it legal.cc@outlook.com – clearly not a real IRS domain name. The emails does include a postal address but no telephone number is included. Full contact info would be given by an official in the IRS but never would they initiate contact by email.

The reason these scams succeed is because they rely on individuals responding quickly without thinking. An effective spam filter will detect these scam emails and will quarantine or reject the messages.