IRS Impersonation Payment Fraud

In this attack, scammers impersonate the IRS to collect a fraudulent payment from their target.

Quick Summary of Attack Target

Platform: Office 365
Bypassed Email Gateway: Proofpoint
Mailboxes: 50,000 to 70,000
Payload: Text
Technique: Spoofing / Impersonation

What was the attack?

Setup: The IRS has long been a popular target for impersonation by attackers. This email highlights a more sophisticated IRS impersonation, where a targeted attack is sent from a spoofed sender domain to collect fraudulent payment from the victim.

Email Attack: The attacker impersonates the IRS, crafting a seemingly credible email threatening to press legal charges unless the recipient settles an outstanding account balance. This impersonation is made especially convincing by the attacker’s use of spoofing. Although the email appears to originate from the domain “”, analysis of the email headers reveals that the true sender domain is “”. Additionally, the “Reply-To” email is “”, which is not associated with the IRS and instead leads directly back to the attacker.

Payload: The email contains specific language regarding the recipient’s overdue account balance, including unique account and loan numbers, as well as docket and warrant IDs. By using seemingly specific information, the attacker strengthens the aura of legitimacy of the attack, increasing the likelihood of the victim engaging. The stern rhetoric of the email is meant to intimidate the recipient into quickly paying the $1450.61 charge, and the attacker threatens arrest to further convey the gravity of the situation. Finally, the email instructs the recipient to reply back for payment details, ultimately leading them directly to the attacker.

Result: If the recipient falls victim to this payment fraud attempt, they will pay a considerable sum to the impersonating party and face serious financial loss. Additionally, if the recipient does not realize their mistake, they may open themselves up to more of these fraudulent attacks in the future.

Why is this attack effective?

Urgency: The threat of legal action against the recipient motivates them to swiftly pay off any outstanding debt to avoid the threatened arrest. Additionally, the attacker claims to have contacted the recipient in the previous year, and their failure to respond to the first warning has escalated the situation. This is meant to provoke immediate action, as the recipient may feel they cannot delay their payment any longer.

Convincing email: This email appears to be a credible impersonation of the IRS. Both the spoofed “” sender domain and the specific IDs assigned to the recipient give the email a false sense of legitimacy. Additionally, the email creates a sense of authority through its tone and professional language.

Trend: IRS email impersonations are widespread across all industries. These attacks vary in scale and victim, targeting both individuals and companies as a whole. This particular attack follows the growing trend of utilizing social engineering strategies for malicious engagement, allowing attackers to more easily bypass email security solutions that focus mostly on obvious threat vectors such as links or attachments.

Related content