Deconstructing an IRS Phishing scam

Here's an example of just one of the many tax related scams criminals are using this year

1 2 3 Page 3
Page 3 of 3

By now you've seen how to check your gut feelings and flag a random email as suspicious, in addition to using technical details to prove your claims. So clearly the email from the IRS is nothing more than a scam.

However, by reading your email in plain text, you can skip the guesswork and spot a poorly planned Phishing attempt easily. This is how the message appears on Outlook 2013, with the default reading settings turned to plain text.

[Click the image to read it at max resolution]

irs scam 3

Notice that the general formatting is the same, but there is visible code calling for the inclusion of the IRS logo. This happened because this message was created for users on a Web-based email program (e.g. Yahoo! Mail) or software rendering visuals using Rich Text or HTML (e.g. Outlook).

Bulk Phishing messages like our IRS email are created with HTML (sometimes Rich Text) and blasted to as many people as possible. Those who have plain text rendering often catch these scams faster because the links don't match-up.

Given that the link you're told to click on looks like an IRS address, assuming you believed the message was real in the first place; the link wouldn't be a consideration. However, look at how it is rendered in plain text. Would you trust it now?

[Click the image to read it at max resolution]

IRS Phishing Email Plain Text

The address in the regular email looks like it points to an IRS website, but the actual code for the link lists a WordPress installation.

So why would the IRS use personal blog software to host documents that are allegedly related to a potential criminal case against you? That's right, they wouldn't.

Now, because the message was rendered in plain text, the scam's malicious link stands out like a bright beacon.

It isn't too hard to read email like this. For Web-based email, the header instructions on the previous page also render the message (complete with source code) in plain text.

Gmail also offers a "Message text garbled?" option that will render messages in plain text; however bulk messages often show as nothing more than giant blocks of code. When in doubt, just delete the message.

For Outlook 2013 users, the following Microsoft article explains how to enable plain text viewing of email. Articles for those using Outlook 2003, 2007, and 2010 are also available.

Likewise, Mozilla has published details on how to read messages in plain text for Thunderbird users; and Apple has documentation for Mavericks, Mountain Lion, and Yosemite, online.

Phishing scams related to the IRS are common this time of year. The best defense is a good dose of skepticism and logic.

Remember, the IRS would never email you, nor would they ask you to download random files. If someone were to call you on the phone, and tell you to expect an email, this too is a scam, as first contact on legitimate tax related matters would be via the USPS.

In their own words:

"The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels. The IRS also does not ask for PINs, passwords or similar confidential access information for credit card, bank or other financial accounts. Recipients should not open any attachments or click on any links contained in the message. Instead, forward the e-mail to"

Copyright © 2015 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
7 hot cybersecurity trends (and 2 going cold)