Beware Of Emails Purporting To Be From The IRS


Beware Of Emails Purporting To Be From The IRS (Sep 17, 2018)

Researchers at Fortinet discovered a recent phishing email campaign pretending to be from the US Internal Revenue Service (IRS). The email is directed to “Non-Resident Alien” tax payers to have them fill out a PDF file (that is attached to the email) that certifies one is a non-resident or foreign corporation. The attached PDF is named “W-8BEN Form.PDF” and impersonates a legitimate IRS form. The file does not contain any malicious macros or code, so it appear to be clean to open on a computer. The email asks the target to file out the attached form and then fax it over to a specific fax number. The objective of this campaign is to steal Personally Identifiable Information (PII).

Recommendation: This is an example of a decently-formatted social engineering campaign geared towards people who may be susceptible to scare tactics. The PDF document, whilst it appears legitimate, contains a series of errors and incongruencies within it that indicate it is not authentic. It is important to carefully read through documents because incorrect language, spelling/punctuation errors, and inconsistent formatting are often signs of a phishing attack. The IRS NEVER corresponds via email, so it is critical to never respond or open these emails, as they could be laced with malicious code or attachments. Falling victim to a campaign such as this gives threat actors sensitive Personal Identifiable Information (PII) which can allow for identity theft. Report these types of emails to the proper authorities.

Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.