IRS Impersonation - Abnormal Security

IRS Impersonation

IRS email impersonations are widespread across all industries. These attacks vary in scale and victim, targeting both individuals and companies as a whole. This particular attack follows the growing trend of utilizing social engineering strategies for malicious engagement, allowing attackers to easily bypass email security solutions that focus on link or attachment-based threat vectors.

Quick Summary of Attack

Platform: Office 365
Mailboxes: 5K-50K
Bypassed Email Security: Office 365
Victims: Employees
Payload: Link
Technique: Impersonation

What was the attack?

The attacker impersonates the IRS by crafting an automated email informing the applicant that they have been approved for the $1400 stimulus payment.

The email contains a link hidden embedded within text that reads “Claim your refund now”. By clicking on the link, the recipient is led to the attacker’s carefully crafted landing page. Here the recipient is prompted to fill out the form which attackers can then retrieve to commit fraud. 

This impersonation is especially convincing as the attacker’s landing page is identical to the IRS website including the popup alert that states “THIS U.S. GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY”, a statement that also appears on the legitimate IRS website.

The attacker also attempts to conceal the URL as to not alert the recipient that the url leads to a form hosted on an amazon domain. This was to obscure the landing page in an attempt to forge legitimacy.

Why did this attack bypass existing email security?

It is likely that this attack bypassed email gateways because the existing gateways only take threat examples from ongoing and current attacks that are in high volume. Phishing attempts that utilize social engineering are much lower in volume, target specific persons, and are able to be hosted on domains that can be quickly taken down.  

Abnormal was able to detect this attack through analyzing 42804+ signals. This message received an attack score of 85 for a number of reasons. The first was the suspicious link embedded within the text of the email that led to the phishing page.  Another signal was the unusual sender that has never been seen before sending to this particular organization. In addition to this, the language of the email was analyzed and found suspicious financial vocabulary indicating a possible attempt to steal money from the recipient.

Related content