The Internal Revenue Service (IRS) this week detected this new scam as taxpayers began notifying [email protected] about unsolicited emails from IRS imposters. The email subject line may vary, but recent examples use the phrase "Automatic Income Tax Reminder" or "Electronic Tax Return Reminder."
The IRS has issued a warning about a new email scam in which malicious cyber actors send unsolicited emails to taxpayers from fake (i.e., spoofed) IRS email addresses. The emails contain a link to a spoofed IRS.gov website that displays fake details about the targeted recipient’s tax refund, return, or account. The emails instruct the recipient to access their refund information by entering a provided password on the spoofed website. By entering the password, the victim unintentionally downloads malware that could enable the malicious cyber actors to take control of the affected system or obtain sensitive information.
The challenge is – many people access their personal and work email from work computers. A compromised work computer can be lockup up by ransomware and it could spread throughout the organization – making all computers inoperable.
In addition, information can be stolen and the consequences for the company can be dire. As we’ve reported previously – IBM research shows the cost of a small business breach is $2.5 million!
"The IRS does not send emails about your tax refund or sensitive financial information," said IRS Commissioner Chuck Rettig. "This latest scheme is yet another reminder that tax scams are a year-round business for thieves. We urge you to be on-guard at all times."
This new scam uses dozens of compromised websites and web addresses that pose as IRS.gov, making it a challenge to shut down. By infecting computers with malware, these imposters may gain control of the taxpayer's computer or secretly download software that tracks every keystroke, eventually giving them passwords to sensitive accounts, such as financial accounts.
The IRS, state tax agencies and the tax industry, which work together in the Security Summit effort, have made progress in their efforts to fight stolen identity refund fraud. But people remain vulnerable to scams by IRS imposters sending fake emails or harassing phone calls.
The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.
The IRS also doesn't call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.
See Report Phishing and Online Scams for more details.
Please read cybersecurity essentials – a simple list which will help most organizations become far more secure. Some of our list overlaps with the above.
Please go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great.
We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately.