The Internal Revenue Service has warned taxpayers about a phishing email attack where scammers are sending what appears to be legitimate communications from the IRS. The emails are sent to convince readers to install malware on their computer. The malware in question is a keylogger; It records a user's keystrokes, which gives the scammers access to passwords and access to sensitive accounts, including financial accounts.
The scam is a classic example of social engineering used in phishing emails. The email starts with a simple message to taxpayers sent via email addresses that spoof legitimate addresses from the IRS. The emails also contain a link to a spoofed version of the original IRS website with fake details about the recipient's account, tax refund, or tax return.
The emails are sent with subject lines such as "Electronic Tax Return Reminder" and "Automatic Income Tax Reminder." They say that they have a "one-time password" that can be used to access the files purportedly necessary for submitting information requests or a refund. However, the files are actually a piece of malware.
The Cybersecurity and Infrastructure Security Agency (CISA) released an alert on Friday:
"The emails instruct the recipient to access their refund information by entering a provided password on the spoofed website. By entering the password, the victim unintentionally downloads malware that could enable the malicious cyber actors to take control of the affected system or obtain sensitive information."
-CISA statement on IRS phishing attack.
The IRS warns that the scam is spreading across the country. The scammers behind it are using several compromised websites and addresses that pose as the original IRS.gov website, making it difficult to shut them all down. The attacks are also working quite well, even though it isn't tax season for most Americans.
The IRS encouraged people to get around the scam by remembering that the IRS still prefers regular snail mail to emails.
The IRS never directly calls or emails someone asking them for personal information online. You should ignore any suspicious calls or emails. If you are ever unsure, then contact the IRS yourself regarding any suspicious communication.
The scam is difficult to detect for some people because it arrives at just the right moment and looks so legitimate. It all looks like it came from the IRS, it has your name on it, it doesn't set off the user's antivirus, and it isn't automatically flagged as spam. To most people, that makes it seem legitimate.
Consumers are urged to practice healthy cybersecurity practices. Learn more about email scams and how to spot them, and consider getting an updated spam filter to ensure such emails never reach your inbox.