Computer Security Research - McAfee Avert Labs Blog

The Internal Revenue Service (IRS) is some phishers favourite target, especially during the tax season each year. We first saw IRS phishing emails in our spam traps in 2005 and have seen them every year since, particularly when the U.S. tax year comes to a close.

Does the early bird catch the worms?

Who would consider a tax issue as early as in September? The phishers must think someone would. We started to see IRS phishing e-mails as early as September last year. The volume has increased in the following months, with a sharp increase in January 2008, and is showing no signs of abating today.

Targeting both individuals and businesses

Most IRS phishing e-mails target individuals, but there were several campaigns which targeted business/corporate accountants and treasury managers this year. The phishing e-mails claimed that there were some recent changes to business and corporate tax laws and asked the recipient to download the relevant files by clicking the embedded links.

Using an IP address instead of a normal domain name is commonly seen in phishing e-mails, because the phishers want to hide the phish domain name from the recipients eyes. In the sample below the phisher also claims that the encoded IP is a document reference and the phishing uri is a personalized link.

Common characteristics of an IRS phishing e-mail

The IRS phishing e-mails normally have a faked “From:” header to try to let the recipients think it is from the IRS. The message body part usually begins with different variations of the IRS logo. They usually follow this with how much money you are supposedly to be refunded for the year. Then the recipients are asked to fill a tax refund form by clicking a link which is normally hidden behind text, such as “Please click here”. The link will lead the recipients to an online form which requests personal information such as Social Security Number, Name, Address, Date of Birth, mother’s maiden name, Bank account number, Credit card number, Expiration date, Card verification number, ATM PIN number and name of the issuing bank.

Recently some phishers have enclosed a html attachment to the e-mail rather than including a link to a phishing web site, and have asked the recipient to open the attachment and submit the details via the attached form.

We also spotted an IRS Vishing (short for “voice phishing”) campaign this year.

All in all it has been a busy tax season for the IRS phishers. The IRS give some helpful tips on how to avoid being caught out by these types of phishing emails on their web site.

This entry was posted on Thursday, April 24th, 2008 at 4:32 am and is filed under Spam and Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

The IRS Phishing Tax Year

Leave a Reply

Archives

Categories