IRS Impersonation - Abnormal Security

IRS Impersonation

In this attack, attackers are impersonating the IRS claiming that they have the recipient’s financial stimulus check, but need the recipient to verify their records on a landing page that will steal the recipient’s IRS or business credentials.

Quick Summary

  • Platform: Google Mail
  • Mailboxes: 5,000 to 15,000
  • Victims: Employees
  • Payload: Malicious Link
  • Technique: Impersonation / Spoofed email

What was the attack?

  • Setup: In response to the COVID-19 outbreak, the U.S. Federal Government is distributing $1,200 to qualifying individuals as part of the coronavirus relief fund, starting on April 14th. Individuals are to expect this financial disbursement either via direct deposit or check in the mail, determined by however users have received previous tax refunds by the IRS. 

  • Email Attack: This attacker crafted a convincing email and landing page that appeared to come from the IRS. The email sent by the attackers states that the user must update records to the correct home address in order to receive their COVID-19 stimulus check, which the email claims can be updated by signing into the link provided.

  • Payload: The email contains a link to a fake IRS website. The URL is masked with text, and the real URL takes the victims to a site unaffiliated with the IRS, which attackers likely hacked and are using to steal taxpayer login credentials.
  •  Result: Should recipients fall victim to this attack, their user credentials would be compromised. Depending on which credentials the users entered, either the credentials associated with their business email could be compromised, or their IRS credentials could be compromised. In the latter case, all sensitive information associated with their IRS account could be at risk as well.

Why is this attack effective?

  • Urgency: This attack leverages the fact that many individuals are expecting their coronavirus stimulus checks, and impersonates the IRS in order to deceive the user into giving up their user credentials- although the phishing link defaults to the user’s business email, if the user is not careful, they could inadvertently expose their IRS credentials as well. If the users don’t respond in a timely manner, they run the risk of delaying when they receive their stimulus check. 
  • Convincing email and landing page: The email and landing page that the attacker created were convincing. The landing page almost replicates the true IRS landing page. Recipients would be hard-pressed to understand that this was, in fact, a site designed specifically to steal their credentials.
  • Concealed URL: The URLs where the landing page were ultimately hosted were clearly not a site owned or run by the IRS. However, the email concealed this URL, and the attackers likely expected that recipients would be too convinced by the landing page they created to double-check that the URL was valid.


Abnormal Attack Stories are real world examples of attacks that we’ve seen in the wild.


Related content