Alert: Phishing Campaigns Spoof the Internal Revenue Service (IRS)

Cyber criminals are in full force this tax season. Security researchers have spotted multiple phishing campaigns impersonating the Internal Revenue Service (IRS.gov). These emails pretend to be from the IRS sending the recipient their 2021 Tax Return, W-9 forms, and other tax documents commonly required during the tax season.

Screenshot of an email that is an IRS Phishing attack. The email has an offical looking seal at the bottom of the email, and has a zip attachment.

Attached to the emails are zip files or HTML files that lead to zip files, which are password-protected. The password protection makes it extremely difficult to detect by secure email gateways. Inside the zip files is a 'W-9 form.xslm' Excel file that, when opened, prompt the user to click on the "Enable Editing" and "Enable Content" button to view the document correctly. Once a user clicks on these buttons, malicious macros will be executed that download and install Emotet malware.

Emotet is a Trojan that is primarily spread through spam emails and is able to successfully evade detection by many anti-malware products. The Department of Homeland Security recently concluded that Emotet is one of the most costly and destructive malwares, affecting all levels of government, private sector organizations, and individuals, and can cost in excess of $1M per incident to clean up.

With Emotet now being developed by the Conti Ransomware gang, all organizations should be on high alert for these phishing campaigns as they can ultimately lead to ransomware attacks and data exfiltration.

It is important to keep in mind that the IRS never sends unsolicited emails and corresponds only through the postal service. If you receive an email claiming to be from the IRS, mark it as spam, and delete the email. If you receive this type of email in your UT System inbox, use the Phish Alert Button to report it.

If you have reason to suspect that you may have become a victim of a phishing attack, contact the Help Desk immediately.