Deconstructing an IRS Phishing scam

Here's an example of just one of the many tax related scams criminals are using this year

1 2 3 Page 2
Page 2 of 3

At this point, it should be clear that our IRS email is nothing more than a scam. But, observational proof aside - is there any other evidence (such as technical evidence) that proves this message is a fake?

Yes, there is. And the best place to look for collecting said evidence is the email headers.

What are headers? Headers are a sort of tracking system for email. They tell you where the message came from and who it was sent to, while ignoring the "To:" and "From:" fields, because criminals can spoof these as you'll see.

For common scams and Phishing attacks, headers are an easy way to prove the message is a fake.

In the following image, the headers form the IRS email are shown. The marked sections are where you'd look first for detailed information on the message itself. Each section is explained below.

[Click on the image to read it at max resolution]

IRS Phishing Scam Email Headers

1. The first line in the headers show that there isn't a SPF policy in place on the server where the email originated. This is important.

In short, SPF records are used to prevent spammers from sending emails using a forged "From:" field. The process isn't perfect, and not everyone uses SPF, but large commercial firms do, as well as many government agencies.

So this line shows the absence of an SPF policy, and the email address where the email originated from – rossmann-cpa.com – which isn't the IRS. Also, the IP address belongs to a server in Italy, a bit far from the tax offices in D.C. don't you think?

2. The Message ID sometimes contains useful information, here it's confirming the sender's email address – again it's rossmann-cpa.com.

3. This is the "From:" field. This is where the sender's email address is supposed to be. However, in this example, it says the email you're reading originated from complaints@irs.gov. But did it?

4. The X-Header fields contain additional server information. Often you will see anti-spam markers and other details. The field highlighted shows that the message came from rossmann-cpa.com.

Rule of thumb: If the data in sections 1, 2, and 4 say one thing, and the data in section 3 says something else – then it's a good bet that section 3 is a lie.

As such, we now technical proof to match our gut reaction that the email is a scam.

Header access for some of the more common email applications can be obtained by doing the following:

Gmail: Open the message and on the right side of the screen click the down arrow (just to the right of the reply icon). Select Show Original. Be warned, you may see a lot of CSS and HTML (code). If so, this is normal. The headers are in the top part of the display.

Yahoo! Mail: Open the message, click the arrow next to "More..." and select View Full Header. This opens a pop-up window with the data inside.

Outlook.com (Hotmail): Open the message and click the "..." option to the right of Categories. Select View Message Source.

Outlook 2007 / 2010 / 2013: Open the message. Click Options (Outlook 2007) or Tags (Outlook 2010/2013), the message headers are in the bottom of the dialog box.

Thunderbird: Open the message. Under the View menu, select Message Source. You can also open the message and press Ctrl+U.

OS X Mail: Open the message and select the View menu. From there, go to Message and All Headers. You can also press Command+Shift+H with the message open.

Next: How to easily spot a Phishing link by reading your email in plain text

1 2 3 Page 2
Page 2 of 3
Subscribe today! Get the best in cybersecurity, delivered to your inbox.