Phishing scams are not always aimed at stealing users’ credentials. Rather the attackers also phish users to deliver malware and execute more malicious payloads. Recently, the IRS has also issued a similar alert for taxpayers. They warn users of a phishing scam that targets taxpayers with malware to steal their personal as well as financial data.
Phishing Campaign Targeting Taxpayers
Reportedly, the Internal Revenue Service (IRS) has generated a phishing scam alert for taxpayers. As per their warning, the scammers are targeting the users with malicious emails to deliver malware.
As elaborated in the news release, the IRS has received numerous complaints from the users regarding unsolicited emails. These emails appear to have been generated by the IRS as tax reminders, which, in fact, isn’t the case.
The subject line of the emails may vary, such as, “Automatic Income Tax Reminder” or “Electronic Tax Return Reminder”. Whereas, the content of the mail tricks users by showing details that look like users’ tax account, refund, or electronic return information. It also includes malicious URLs that look similar to the irs.gov website. Specifically, the scammers use ‘dozens of compromised websites and web addresses’ for this purpose, hence being difficult to shut down.
The scammers behind this campaign also target users with malware to steal victims’ data. As elaborated in the IRS alert,
By infecting computers with malware, these imposters may gain control of the taxpayer’s computer or secretly download software that tracks every keystroke, eventually giving them passwords to sensitive accounts, such as financial accounts.
This malware supposedly enters the target device when a user tries to access the files with the ‘temporary password’ provided in the email.
The emails contain a “temporary password” or “one-time password” to “access” the files to submit the refund. But when taxpayers try to access these, it turns out to be a malicious file.
Stay Wary Of Unsolicited Emails
IRS has clearly stated in the alert that they never send any unsolicited emails to the taxpayers. Nor do they ask for sensitive information via emails.
The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
According to the statement by Chuck Rettig, the IRS Commissioner, people should stay wary of all such scams impersonating IRS.
The IRS does not send emails about your tax refund or sensitive financial information. This latest scheme is yet another reminder that tax scams are a year-round business for thieves. We urge you to be on-guard at all times.