IRS Spoofed in Payment Fraud Attack

November 10, 2020

The IRS has long been a popular target for impersonation by attackers. This email highlights a more sophisticated IRS impersonation, where a targeted attack is sent from a spoofed sender domain to collect fraudulent payment from the victim.

Summary of Attack Target

  • Platform: Office 365
  • Bypassed Email Gateway: Proofpoint
  • Payload: Text
  • Technique: Spoofing / Impersonation

Overview of IRS Impersonation Attack

In this email, the attacker impersonates the IRS, crafting a seemingly credible email threatening to press legal charges unless the recipient settles an outstanding account balance. This impersonation is made especially convincing by the attacker’s use of spoofing. The email appears to originate from the domain “,” but analysis of the email headers reveals that the true sender domain is “”. Additionally, the “Reply-To” email is “”, which is not associated with the IRS and instead leads directly back to the attacker.

The email contains specific language regarding the recipient’s overdue account balance, including unique account and loan numbers, as well as docket and warrant IDs. By using seemingly specific information, the attacker strengthens the aura of legitimacy of the attack, increasing the likelihood of the victim engaging. The stern rhetoric of the email is meant to intimidate the recipient into quickly paying the $1450.61 charge, and the attacker threatens arrest to further convey the gravity of the situation. Finally, the email instructs the recipient to reply back for payment details, ultimately leading them directly to the attacker.

If the recipient falls victim to this payment fraud attempt, they will pay a considerable sum to the impersonating party and face serious financial loss. Additionally, if the recipient does not realize their mistake, they may open themselves up to more of these fraudulent attacks in the future.

Why the IRS Scam is Effective

The threat of legal action against the recipient motivates them to swiftly pay off any outstanding debt to avoid the threatened arrest. Additionally, the attacker claims to have contacted the recipient in the previous year, and their failure to respond to the first warning has escalated the situation. This is meant to provoke immediate action, as the recipient may feel they cannot delay their payment any longer.

This email appears to be a credible impersonation of the IRS. Both the spoofed “” sender domain and the specific IDs assigned to the recipient give the email a false sense of legitimacy. Additionally, the email creates a sense of authority through its tone and professional language.

Abnormal catches this attack due to a variety of reasons, most notably the language included in the email, the suspicious financial request, and the usual sender domain. In addition, the email fails DMARC authentication for the IRS, showcasing that it is likely malicious.

IRS email impersonations are widespread across all industries. These attacks vary in scale and victim, targeting both individuals and companies as a whole. This particular attack follows the growing trend of utilizing social engineering strategies for malicious engagement, allowing attackers to more easily bypass email security solutions that focus mostly on obvious threat vectors such as links or attachments.

To learn how Abnormal can stop malicious emails that do not contain traditional indicators of compromise, see a demo today.

Blog logo wavy lines
When we founded Abnormal Security more than two and a half years ago, we met with 50 top CIOs and CISOs who told us two things: they needed a solution to stop a novel set of cyberattacks that increasingly bypassed legacy email security solutions, and they needed it...
Read More
Blog blue square building
During the pandemic, the e-commerce industry has not only seen a dramatic rise in sales, but also in consumer-targeted email attacks. This attack features an impersonation of Amazon, utilizing an increasingly popular vector for malicious engagement—phone calls.
Read More

Related Posts

B 10 15 21
With Detection 360, submission to threat containment just got 94% faster, making it incredibly easy for customers to submit false positives or missed attacks, and get real-time updates from Abnormal on investigation, conclusion, and remediation.
Read More
Extortion blog cover
Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.
Read More
Blog engineering cybersecurity careers
Cybersecurity Careers Awareness Week is a great opportunity to explore key careers in information security, particularly as there are an estimated 3.1 million unfilled cybersecurity jobs. This disparity means that cybercriminals are taking advantage of the situation, sending more targeted attacks and seeing greater success each year.
Read More
Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More