IRS Impersonated in Identity Theft Campaign

December 16, 2020

Although tax season has passed, IRS impersonation scams persist, putting many Americans at risk for identity theft and payment fraud. In this attack, scammers impersonate the IRS by sending out a fake tax form to collect valuable personal and financial information.

Summary of Attack Target

  • Platform: G Suite
  • Victims: VIP and Executives
  • Payload: Attachment / Fax Number
  • Technique: Spoofing / Impersonation

What was the attack?

This email attempts to steal information that could lead to identity theft, claiming that the recipient is a non-resident alien and telling them to fill out a W-8BEN tax exemption form to protect their status. The email instructs the recipient to fill out the provided form in order to maintain their non-resident tax exemption status.

Although this seems to only target non-resident aliens, the email widens its vulnerable audience by specifying that if the recipient is in fact a US citizen, they must indicate so on the form and still complete the form. The attack concludes by instructing the recipient to fax the form, along with a copy of their passport, to the provided fax number. Further investigation reveals that this is a known IRS scam number used to steal valuable information from unsuspecting taxpayers.

While the attached PDF looks legitimate, when compared to the W-8BEN tax form available for download on the IRS website, we see that the form in this email asks for much more personal information, like passport number and bank account details.

Even though the email appears to originate from “”, which is a registered domain for the IRS, further analysis reveals that this email is actually spoofed—authentication fails for this message and the true sender domain is “” This is a Chinese registered domain that has no relation to the IRS.

Should the target bypass this and send the completed form and specified materials, they would release extremely sensitive information that could ultimately lead to identity theft. Additionally, the tax form asks for bank account information which, if filled out, would compromise the account of the victim and possibly lead to financial loss.

Why the IRS Scam is Effective

The email specifies that the recipient must fill out and return the form, along with a passport copy, within seven days in order to rectify their status. This motivates the recipient to act quickly so that, in their haste, they will spend less time assessing the legitimacy of the email. Additionally, the attack contains a PDF attachment that appears inconspicuous, as it does not contain malware or suspicious links that traditional email security platforms would flag.

The attacker uses professional language and a spoofed “” domain to craft a credible impersonation of the IRS. In addition, the attached form looks very similar to the actual W-8BEN tax form. If one does not investigate closely enough, they might not detect the added malicious fields.

Abnormal is able to detect this attack due to the usual sender, the language that is used to steal personal information, and the fact that the sender domain does not match any domains found within the body.

IRS email scams have been around for many years and do not show any sign of relenting. Although the IRS warns on their website that they will never ask for personal tax information via email, these scams continue to defraud taxpayers across all industries.

To see how Abnormal can protect you and your employees from identity theft, request a demo today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 10 3 22 Cobalt Terrapin Blog
Threat group Cobalt Terrapin uses sophisticated impersonation techniques with multiple steps to commit invoice fraud.
Read More
B 09 29 22 CISO Cybersecurity Awareness Month
October is here, which means Cybersecurity Awareness Month is officially in full swing! These five tips can help security leaders take full advantage of the month.
Read More
B Email Security Challenges Blog 09 26 22
Understanding common email security challenges caused by your legacy technology will help you determine the best solution to improve your security posture.
Read More
B 5 Crucial Tips
Retailers are a popular target for threat actors due to their wealth of customer data and availability of funds. Here are 5 cybersecurity tips to help retailers reduce their risk of attack.
Read More
B 3 Essential Elements
Legacy approaches to managing unwanted mail are neither practical nor scalable. Learn the 3 essential elements of modern, effective graymail management.
Read More
B Back to School
Discover how threat group Chiffon Herring leverages impersonation and spoofed email addresses to divert paychecks to mule accounts.
Read More
B 09 06 22 Rearchitecting a System Blog
We recently shared a look at how the Abnormal engineering team overhauled our Unwanted Mail service architecture to accommodate our rapid growth. Today, we’re diving into how the team migrated traffic to the new architecture—with zero downtime.
Read More
B Industry Leading CIS Os
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 12 innovative and influential thought leaders on social media.
Read More
B Podcast Engineering 11 08 24 22
In episode 11 of Abnormal Engineering Stories, David Hagar, Director of Engineering and Abnormal Head of UK Engineering, continues his conversation with Zehan Wang, co-founder of Magic Pony.
Read More