IRS warns about new tax transcript email phishing scam

The Internal Revenue Service and its partners in the Security Summit sounded the alarm Monday about a new phishing scam in which cybercriminals are sending out fraudulent emails impersonating the IRS, claiming the attachments are tax transcripts, to fool recipients into clicking on and opening files containing malware that could infect their computers.

The scam particularly poses harm to businesses whose employees might open the malware because it could spread across a network and potentially take months to remove.

The malware is an old one known as Emotet, but is now being used in the guise of tax transcripts. The email has traditionally come from scammers posing as specific banks and financial institutions effort to trick victims into opening infected documents. The U.S. Computer Emergency Readiness Team warned in July about earlier versions of the Emotet malware in an alert, saying it’s “among the most costly and destructive malware affecting state, local, tribal and territorial (SLTT) governments, and the private and public sectors.”

The Security Summit, which is a partnership among the IRS, state tax authorities, tax software companies and tax preparation business, is warning taxpayers to beware of a new twist on the scam. In the past few weeks, the scammers have been impersonating the IRS, with their emails purporting to come from “IRS Online.” The phishing email comes with an attachment called “Tax Account Transcript” or a similar name. The subject line of the message uses some variation of the phrase “tax transcript.” However, the clues can change with different versions of the malware. Scores of the scam emails have been forwarded recently to the IRS’s clearinghouse for phishing emails, phishing@irs.gov.

The IRS is once again reminding taxpayers it doesn’t send unsolicited emails to the public, nor would it email a sensitive document such as a transcript summarizing a tax return. The IRS is warning taxpayers not to open the email or the attachment. If they’re using a PC, they should delete the message or forward it to phishing@irs.gov. If they receive it on an employer’s computer, they should notify the organization’s own technology professionals.

An IRS office building in East Harlem
An IRS office building in the East Harlem neighborhood of New York

For reprint and licensing requests for this article, click here.