November 10, 2020
Abnormal Security
In this attack, scammers impersonate the IRS to collect a fraudulent payment from their target.
Platform: Office 365
Bypassed Email Gateway: Proofpoint
Mailboxes: 50,000 to 70,000
Payload: Text
Technique: Spoofing / Impersonation
Setup: The IRS has long been a popular target for impersonation by attackers. This email highlights a more sophisticated IRS impersonation, where a targeted attack is sent from a spoofed sender domain to collect fraudulent payment from the victim.
Email Attack: The attacker impersonates the IRS, crafting a seemingly credible email threatening to press legal charges unless the recipient settles an outstanding account balance. This impersonation is made especially convincing by the attacker’s use of spoofing. Although the email appears to originate from the domain “irs.gov”, analysis of the email headers reveals that the true sender domain is “shoesbagsall.com”. Additionally, the “Reply-To” email is “legal.cc@outlook.com”, which is not associated with the IRS and instead leads directly back to the attacker.
Payload: The email contains specific language regarding the recipient’s overdue account balance, including unique account and loan numbers, as well as docket and warrant IDs. By using seemingly specific information, the attacker strengthens the aura of legitimacy of the attack, increasing the likelihood of the victim engaging. The stern rhetoric of the email is meant to intimidate the recipient into quickly paying the $1450.61 charge, and the attacker threatens arrest to further convey the gravity of the situation. Finally, the email instructs the recipient to reply back for payment details, ultimately leading them directly to the attacker.
Result: If the recipient falls victim to this payment fraud attempt, they will pay a considerable sum to the impersonating party and face serious financial loss. Additionally, if the recipient does not realize their mistake, they may open themselves up to more of these fraudulent attacks in the future.
Urgency: The threat of legal action against the recipient motivates them to swiftly pay off any outstanding debt to avoid the threatened arrest. Additionally, the attacker claims to have contacted the recipient in the previous year, and their failure to respond to the first warning has escalated the situation. This is meant to provoke immediate action, as the recipient may feel they cannot delay their payment any longer.
Convincing email: This email appears to be a credible impersonation of the IRS. Both the spoofed “irs.gov” sender domain and the specific IDs assigned to the recipient give the email a false sense of legitimacy. Additionally, the email creates a sense of authority through its tone and professional language.
Trend: IRS email impersonations are widespread across all industries. These attacks vary in scale and victim, targeting both individuals and companies as a whole. This particular attack follows the growing trend of utilizing social engineering strategies for malicious engagement, allowing attackers to more easily bypass email security solutions that focus mostly on obvious threat vectors such as links or attachments.
Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:
Abnormal is the email security company that stands for trust.
© 2021 Abnormal Security Corporation.
All rights reserved.