Hackers Using Spoofed IRS Emails to Target Victims and Threatening to Take Legal Action

The spoofed emails that have targeted thousands of people in the U.S. appear to come from legitimate IRS domain such as support@irs.gov

People are intimated by the U.S. Internal Revenue Service (IRS) and hackers know the weakness. Now, they are impersonating the IRS in emails, asking people to pay up or threatening them with legal action. The phishing scam that was first noticed in April 2020 now has widened. Scammers fabricate an outstanding tax amount related to late payment or missed payment and trick the victim into paying it.

According to email security company Abnormal Security, scammers have been able to reach nearly 70,000 victims targeting their Microsoft Office 365 accounts. Although it is unknown if anybody has made any payment, the sheer number of emails suggests that someone may have.

"The attacker impersonates the IRS, crafting a seemingly credible email threatening to press legal charges unless the recipient settles an outstanding account balance," the researchers explained.

Phishing emails
Hackers impersonating the IRS ask the victims to pay a made-up outstanding amount or threaten to take legal action (representational image) Pixabay

'Credible Domain'

Spoofing IRS has been a popular choice for hackers to target victims. But most of the time, those spoofing emails fail to convince the target due to the usage of poor English. In this case, scammers use a sophisticated technique. The spoofing emails seem to originate from support@irs.gov as a way to convince victims. Besides that, the scammers use docket number, case ID, warrant ID and error-free English content to make the email appear legitimate.

However, a closer look would reveal that the emails originate from the shoesbagsall.com domain and when you try to reply to the email, it would direct the response to "legal.cc@outlook.com", not the actual IRS mailing address. "By using seemingly specific information, the attacker strengthens the aura of legitimacy of the attack, increasing the likelihood of the victim engaging," researchers at Abnormal Security said.

Threatening with Legal Charges

To intimidate the victims, scammers threaten to take legal action if the "outstanding amount" is not paid. Besides that, the spoofed email suggests that failure to pay the amount would lead to arrest as the subject line of the email often says "warrant for your arrest". In such an email, the scammers also threaten to notify the employer, suggesting that the fictitious "outstanding amount" would be withheld from their salary and informing the credit bureau.

Spoofed email
Spoofed IRS email threatening with arrest warrant to intimidate victims Abnormal Security

One such email read: "We have sent you this warning notification about legal proceedings in May 2019. But you failed to respond on time. This time, if you fail to respond then we will register this case in court. Consider this as a Final Warning."

The scam emails also say that failure to pay will lead to notifying the local sheriff department which will issue a court order to appear before the court. "Please let us know what your intention is by today itself so we can hold the case or else we will submit the paperwork to your Local Sheriff Department and you will be served with a court summons at your doorstep," the email says.

By resorting to social engineering attacks, hackers can bypass the email security system that blocks most of the spam or phishing attacks. "IRS email impersonations are widespread across all industries. These attacks vary in scale and victim, targeting both individuals and companies as a whole," researchers said.

If you receive such a suspicious email, don't respond or open any attachments as it may contain malware that could either encrypt your system or steal your data. Next, forward that to phishing@irs.gov as is with full email header. The IRS will analyze the email and take necessary action against the hackers.

Related topics : Cybersecurity