Tax season is always a prime time for phishing attacks. People are easily influenced by IRS branding and counterfeit web pages. Just a few weeks ago we wrote about a spear phishing attack where hackers obtained W-2s from a range of business sectors through a business email compromise scam.

In the short period of time since then, new tax scams have cropped up. These scams show an increase in the use of social engineering tactics to personalize emails to convince victims of their legitimacy. Hackers are preying on our innate willingness to comply with authority and appeal to our fears of the consequences associated with paying taxes late or not complying with the law. The scams and software come in a range of forms, from phishing emails that steal confidential information to ransomware and banking Trojans.

Phishing Emails

Huge Refund

One of the scams comes in the form of a spear phishing email supposedly from the IRS Commissioner. The email includes the victim’s personal information like name, address, and personal phone, making the email seem legitimate. The email claims that the victim is entitled to a $7.5 million refund in the form of an ATM card, as long as they “update” some personal information. This scam has some obvious red flags:

  • The average taxpayer would never be entitled to a refund of that magnitude
  • Too-good-to-be-true
  • The IRS doesn’t send tax refund information via email
  • The IRS would already have all of the personal information necessary to issue a refund from your taxes
  • The sender is “fincencustomerservice@gmx.us”, a German-based free advertising-supported email service

Information “Processing”


Another phishing email based scam sends victims an email to let them know that it is time for their information to be “processed” – instead, it is being stolen. The email takes victims to a fake IRS-branded page where they are asked to fill in all of their personal information, starting with their social security number. This phishing scam is able to bypass standard intrusion detection systems (IDS) by using JavaScript AES Encryption.

By using JavaScript AES encrypted web pages, hackers are able to bypass most intrusion detection systems.

Phishing Form

Similar to the information “processing” scam, this attack uses an email to lure victims to a counterfeit IRS-branded page. The email contains an attachment that takes users to a webpage form with an “IRS-govCopyright.html” suffix. The form asks for the victim’s:

  • Social security number
  • Full name
  • Email address
  • Primary phone
  • Birthday
  • Employer identification number
  • Employer name
  • Full employer address<