Fraud Management & Cybercrime , Fraud Risk Management , Social Engineering

IRS Domain Spoofed in Fraud Campaign

Researchers Say Scammers Use Social Engineering Strategies
IRS Domain Spoofed in Fraud Campaign
A phishing email that spoofs the IRS domain (Source: Abnormal Security)

A recently uncovered phishing campaign is using a spoofed U.S. Internal Revenue Service domain and social engineering techniques in an attempt to trick targeted victims into sending money to fraudsters, according to researchers at Abnormal Security.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

These phishing emails have targeted 50,000 to 70,000 Microsoft Office 365 accounts since late October, the security firm reports.

The phishing campaign, which does not include malware or malicious links, relies heavily on social engineering techniques, such as accusing recipients of owing a tax debt and threatening further legal action unless a payment is made, the security researchers say.

"This particular attack follows the growing trend of utilizing social engineering strategies for malicious engagement, allowing attackers to more easily bypass email security solutions that focus mostly on obvious threat vectors such as links or attachments," the researchers say (see: Phony IRS Emails Promise Refund, But Deliver Botnet Instead).

Spoofed Domains

In addition to spoofing the official domain, the fraudsters disguise their actual email address to hide their origin, according to the report.

"Although the email appears to originate from the domain ',' analysis of the email headers reveals that the true sender domain is ',' according to the Abnormal Security report. "Additionally, the 'Reply-To' email is ',' which is not associated with the IRS and instead leads directly back to the attacker."

The phishing emails include unique account and loan numbers as well as docket and warrant identification numbers to help make them appear legitimate, according to the report. The fraudsters appear to always ask for a payment of $1,450.61.

In the example provided by Abnormal Security, the phishing email instructs the victim to reply to receive instructions for payment.

"This email appears to be a credible impersonation of the IRS," the report notes. "Both the spoofed '' sender domain and the specific IDs assigned to the recipient give the email a false sense of legitimacy. Additionally, the email creates a sense of authority through its tone and professional language."

Tom Pendergast, chief learning officer at cybersecurity training firm MediaPRO, notes that this type of domain spoofing, paired with well-written phishing emails, is now standard practice for many fraudsters.

"The urgency and threat of penalty are classic hallmarks and should raise suspicion," Pendergast tells Information Security Media Group. "True, there are no links to click and no obviously absurd misspellings and threats, and the account numbers give the illusion of specificity."

Other Scams

Since the COVID-19 pandemic began, fraudsters have been adjusting their phishing campaigns to take advantage of current events, including spoofing government agencies' domains, in an attempt to harvest personal credentials and data.

For example, Proofpoint found fraudsters are now using spoofed website templates with COVID-19 themes as part of phishing attacks designed to steal login credentials and banking data. These malicious templates included a spoofed IRS website (see: Spoofed Website Templates Help Spread COVID-19 Scams: Report).

About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.