IRS Tax Form Scam - Abnormal Security

IRS Tax Form Scam

In this attack, scammers impersonate the IRS by sending out a fake tax form to collect valuable personal and financial information.

Quick Summary of Attack Target

Platform: G Suite
Mailboxes: 15,000 – 50,000
Victims: VIP
Payload: Attachment / Fax Number
Technique: Spoofing / Impersonation

What was the attack?

Setup: Although tax season has passed, IRS impersonation scams persist, putting many Americans at risk for identity theft and payment fraud. This email attempts the former, claiming that the recipient is a non-resident alien and telling them to fill out a W-8BEN tax exemption form to protect their status.

Email Attack: This attack contains what appears to be a W-8BEN tax form from the IRS as a PDF attachment. However, when compared to the W-8BEN tax form available for download on the IRS website, we see that the form in this email asks for much more personal information (like passport number and bank account details). Additionally, even though the email appears to originate from “irs.gov”, which is a registered domain for the IRS, further analysis reveals that this email is actually spoofed – authentication fails for this message and the true sender domain is “huaweimobilewifi.com.” This is a Chinese registered domain that has no relation to the IRS.

The email instructs the recipient to fill out the provided form in order to maintain their non-resident tax exemption status. Although this seems to only target non-resident aliens, the email widens its vulnerable audience by specifying that if the recipient is in fact a US citizen, they must indicate so on the form and still return it complete. The attack concludes by instructing the recipient to fax the form, along with a copy of their passport, to the provided fax number. Further investigation reveals that this is a known IRS scam number used to steal valuable information from unsuspecting taxpayers.

Payload: The attack contains a PDF attachment that appears inconspicuous, as it does not contain malware or suspicious links that traditional email security platforms would flag. However, the form asks for extremely sensitive information, such as date of birth, passport number, and bank account information. Revealing this information could be detrimental to the recipient if placed in malicious hands. The PDF also lists a fake fax number where the recipient is meant to send their information, leading directly back to the scammers.

Result: By sending the completed form and specified materials, the victim would release extremely sensitive information that could ultimately lead to identity theft. Additionally, the tax form asks for bank account information which, if filled out, would compromise the account of the victim and possibly lead to financial loss.

Why is this attack effective?

Urgency: The email specifies that the recipient must fill out and return the form, along with a passport copy, within seven days in order to rectify their status. This motivates the recipient to act quickly so that, in their haste, they will spend less time assessing the legitimacy of the email.

Convincing Email: The attacker uses professional language and a spoofed “irs.gov” domain to craft a credible impersonation of the IRS. In addition, the attached form looks very similar to the actual W-8BEN tax form. If one does not investigate closely enough, they might not detect the added malicious fields.

Trend: IRS email scams have been around for many years and do not show any sign of relenting. Just in the past month we have dedicated three blog posts to these impersonation attacks. Although the IRS warns on their website that they will never ask for personal tax information via email, these scams continue to defraud taxpayers across all industries.

Related content