The IRS has long been a popular target for impersonation by attackers. This email highlights a more sophisticated IRS impersonation, where a targeted attack is sent from a spoofed sender domain to collect fraudulent payment from the victim.
Summary of Attack Target
- Platform: Office 365
- Bypassed Email Gateway: Proofpoint
- Payload: Text
- Technique: Spoofing / Impersonation
Overview of IRS Impersonation Attack
In this email, the attacker impersonates the IRS, crafting a seemingly credible email threatening to press legal charges unless the recipient settles an outstanding account balance. This impersonation is made especially convincing by the attacker’s use of spoofing. The email appears to originate from the domain “irs.gov,” but analysis of the email headers reveals that the true sender domain is “shoesbagsall.com”. Additionally, the “Reply-To” email is “email@example.com”, which is not associated with the IRS and instead leads directly back to the attacker.
The email contains specific language regarding the recipient’s overdue account balance, including unique account and loan numbers, as well as docket and warrant IDs. By using seemingly specific information, the attacker strengthens the aura of legitimacy of the attack, increasing the likelihood of the victim engaging. The stern rhetoric of the email is meant to intimidate the recipient into quickly paying the $1450.61 charge, and the attacker threatens arrest to further convey the gravity of the situation. Finally, the email instructs the recipient to reply back for payment details, ultimately leading them directly to the attacker.
If the recipient falls victim to this payment fraud attempt, they will pay a considerable sum to the impersonating party and face serious financial loss. Additionally, if the recipient does not realize their mistake, they may open themselves up to more of these fraudulent attacks in the future.
Why the IRS Scam is Effective
The threat of legal action against the recipient motivates them to swiftly pay off any outstanding debt to avoid the threatened arrest. Additionally, the attacker claims to have contacted the recipient in the previous year, and their failure to respond to the first warning has escalated the situation. This is meant to provoke immediate action, as the recipient may feel they cannot delay their payment any longer.
This email appears to be a credible impersonation of the IRS. Both the spoofed “irs.gov” sender domain and the specific IDs assigned to the recipient give the email a false sense of legitimacy. Additionally, the email creates a sense of authority through its tone and professional language.
Abnormal catches this attack due to a variety of reasons, most notably the language included in the email, the suspicious financial request, and the usual sender domain. In addition, the email fails DMARC authentication for the IRS, showcasing that it is likely malicious.
IRS email impersonations are widespread across all industries. These attacks vary in scale and victim, targeting both individuals and companies as a whole. This particular attack follows the growing trend of utilizing social engineering strategies for malicious engagement, allowing attackers to more easily bypass email security solutions that focus mostly on obvious threat vectors such as links or attachments.
To learn how Abnormal can stop malicious emails that do not contain traditional indicators of compromise, see a demo today.