IRS Spoofed in Payment Fraud Attack

November 10, 2020

The IRS has long been a popular target for impersonation by attackers. This email highlights a more sophisticated IRS impersonation, where a targeted attack is sent from a spoofed sender domain to collect fraudulent payment from the victim.

Summary of Attack Target

  • Platform: Office 365
  • Bypassed Email Gateway: Proofpoint
  • Payload: Text
  • Technique: Spoofing / Impersonation

Overview of IRS Impersonation Attack

In this email, the attacker impersonates the IRS, crafting a seemingly credible email threatening to press legal charges unless the recipient settles an outstanding account balance. This impersonation is made especially convincing by the attacker’s use of spoofing. The email appears to originate from the domain “,” but analysis of the email headers reveals that the true sender domain is “”. Additionally, the “Reply-To” email is “”, which is not associated with the IRS and instead leads directly back to the attacker.

The email contains specific language regarding the recipient’s overdue account balance, including unique account and loan numbers, as well as docket and warrant IDs. By using seemingly specific information, the attacker strengthens the aura of legitimacy of the attack, increasing the likelihood of the victim engaging. The stern rhetoric of the email is meant to intimidate the recipient into quickly paying the $1450.61 charge, and the attacker threatens arrest to further convey the gravity of the situation. Finally, the email instructs the recipient to reply back for payment details, ultimately leading them directly to the attacker.

If the recipient falls victim to this payment fraud attempt, they will pay a considerable sum to the impersonating party and face serious financial loss. Additionally, if the recipient does not realize their mistake, they may open themselves up to more of these fraudulent attacks in the future.

Why the IRS Scam is Effective

The threat of legal action against the recipient motivates them to swiftly pay off any outstanding debt to avoid the threatened arrest. Additionally, the attacker claims to have contacted the recipient in the previous year, and their failure to respond to the first warning has escalated the situation. This is meant to provoke immediate action, as the recipient may feel they cannot delay their payment any longer.

This email appears to be a credible impersonation of the IRS. Both the spoofed “” sender domain and the specific IDs assigned to the recipient give the email a false sense of legitimacy. Additionally, the email creates a sense of authority through its tone and professional language.

Abnormal catches this attack due to a variety of reasons, most notably the language included in the email, the suspicious financial request, and the usual sender domain. In addition, the email fails DMARC authentication for the IRS, showcasing that it is likely malicious.

IRS email impersonations are widespread across all industries. These attacks vary in scale and victim, targeting both individuals and companies as a whole. This particular attack follows the growing trend of utilizing social engineering strategies for malicious engagement, allowing attackers to more easily bypass email security solutions that focus mostly on obvious threat vectors such as links or attachments.

To learn how Abnormal can stop malicious emails that do not contain traditional indicators of compromise, see a demo today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More