Deconstructing an IRS Phishing scam

Taxes. Avoiding them is illegal, and paying them is painful. We’ve all got to do it, and for some, the stress of taxes is no small matter. There’s a certain element of apprehension when dealing with the IRS, even when you’ve done nothing wrong, so being contacted by them is a bit frightening.

Criminals know the type of stress the IRS can cause a taxpayer. They also know that most will immediately pay attention to something from the IRS. Perhaps not out of fear, but curiosity. After all, if you’ve paid your taxes on time like clockwork, why would the IRS be emailing you?

To be honest, they wouldn’t, but consider the email below:

[Click on the image to read it at max resolution]

Taken at face value, this email doesn’t seem wrong to the untrained eye. However, examine it closely and some things stand out.

1. The message is addressed to “Dear business owner” – Nothing from the IRS would ever be so generically addressed. If they’re sending you something, they send it addressed to your first and last name, and in some cases include other identifying details.

2. Contact has originated via email. The IRS doesn’t email taxpayers; they send certified letters via the United States Postal Service (USPS).

3. The message points you to a website in order to download a PDF file containing the alleged charges against you – or in this case – your company.

Assuming that you are a business owner, it’s important to note that the IRS would never send you a random email attachment or ask you to download something out of the blue.

4. The phone number in the message’s closing is a legitimate IRS phone number. However, it isn’t the number for the IRS “Fraud Prevention Department,” it’s the number for the Business and Specialty Tax Line. Should you call it and explain the email, the person on the other end will immediately call this scam out for what it is.

5. The complaints email address isn’t valid. The IRS requires that certain forms be completed and delivered to them in order for a complaint to be registered. Any time you get an email form the IRS and suspect that it isn’t on the level, send it to phishing@irs.gov and delete the original.

Next: Deconstructing the scam and finding technical evidence

At this point, it should be clear that our IRS email is nothing more than a scam. But, observational proof aside – is there any other evidence (such as technical evidence) that proves this message is a fake?

Yes, there is. And the best place to look for collecting said evidence is the email headers.

What are headers? Headers are a sort of tracking system for email. They tell you where the message came from and who it was sent to, while ignoring the “To:” and “From:” fields, because criminals can spoof these as you’ll see.

For common scams and Phishing attacks, headers are an easy way to prove the message is a fake.

In the following image, the headers form the IRS email are shown. The marked sections are where you’d look first for detailed information on the message itself. Each section is explained below.

[Click on the image to read it at max resolution]

1. The first line in the headers show that there isn’t a SPF policy in place on the server where the email originated. This is important.

In short, SPF records are used to prevent spammers from sending emails using a forged “From:” field. The process isn’t perfect, and not everyone uses SPF, but large commercial firms do, as well as many government agencies.

So this line shows the absence of an SPF policy, and the email address where the email originated from – rossmann-cpa.com – which isn’t the IRS. Also, the IP address belongs to a server in Italy, a bit far from the tax offices in D.C. don’t you think?

2. The Message ID sometimes contains useful information, here it’s confirming the sender’s email address – again it’s rossmann-cpa.com.

3. This is the “From:” field. This is where the sender’s email address is supposed to be. However, in this example, it says the email you’re reading originated from complaints@irs.gov. But did it?

4. The X-Header fields contain additional server information. Often you will see anti-spam markers and other details. The field highlighted shows that the message came from rossmann-cpa.com.

Rule of thumb: If the data in sections 1, 2, and 4 say one thing, and the data in section 3 says something else – then it’s a good bet that section 3 is a lie.

As such, we now technical proof to match our gut reaction that the email is a scam.

Header access for some of the more common email applications can be obtained by doing the following:

Gmail: Open the message and on the right side of the screen click the down arrow (just to the right of the reply icon). Select Show Original. Be warned, you may see a lot of CSS and HTML (code). If so, this is normal. The headers are in the top part of the display.

Yahoo! Mail: Open the message, click the arrow next to “More…” and select View Full Header. This opens a pop-up window with the data inside.

Outlook.com (Hotmail): Open the message and click the “…” option to the right of Categories. Select View Message Source.

Outlook 2007 / 2010 / 2013: Open the message. Click Options (Outlook 2007) or Tags (Outlook 2010/2013), the message headers are in the bottom of the dialog box.

Thunderbird: Open the message. Under the View menu, select Message Source. You can also open the message and press Ctrl+U.

OS X Mail: Open the message and select the View menu. From there, go to Message and All Headers. You can also press Command+Shift+H with the message open.

Next: How to easily spot a Phishing link by reading your email in plain text

By now you’ve seen how to check your gut feelings and flag a random email as suspicious, in addition to using technical details to prove your claims. So clearly the email from the IRS is nothing more than a scam.

However, by reading your email in plain text, you can skip the guesswork and spot a poorly planned Phishing attempt easily. This is how the message appears on Outlook 2013, with the default reading settings turned to plain text.

[Click the image to read it at max resolution]

Notice that the general formatting is the same, but there is visible code calling for the inclusion of the IRS logo. This happened because this message was created for users on a Web-based email program (e.g. Yahoo! Mail) or software rendering visuals using Rich Text or HTML (e.g. Outlook).

Bulk Phishing messages like our IRS email are created with HTML (sometimes Rich Text) and blasted to as many people as possible. Those who have plain text rendering often catch these scams faster because the links don’t match-up.

Given that the link you’re told to click on looks like an IRS address, assuming you believed the message was real in the first place; the link wouldn’t be a consideration. However, look at how it is rendered in plain text. Would you trust it now?

[Click the image to read it at max resolution]

The address in the regular email looks like it points to an IRS website, but the actual code for the link lists a WordPress installation.

So why would the IRS use personal blog software to host documents that are allegedly related to a potential criminal case against you? That’s right, they wouldn’t.

Now, because the message was rendered in plain text, the scam’s malicious link stands out like a bright beacon.

It isn’t too hard to read email like this. For Web-based email, the header instructions on the previous page also render the message (complete with source code) in plain text.

Gmail also offers a “Message text garbled?” option that will render messages in plain text; however bulk messages often show as nothing more than giant blocks of code. When in doubt, just delete the message.

For Outlook 2013 users, the following Microsoft article explains how to enable plain text viewing of email. Articles for those using Outlook 2003, 2007, and 2010 are also available.

Likewise, Mozilla has published details on how to read messages in plain text for Thunderbird users; and Apple has documentation for Mavericks, Mountain Lion, and Yosemite, online.

Phishing scams related to the IRS are common this time of year. The best defense is a good dose of skepticism and logic.

Remember, the IRS would never email you, nor would they ask you to download random files. If someone were to call you on the phone, and tell you to expect an email, this too is a scam, as first contact on legitimate tax related matters would be via the USPS.

In their own words:

“The IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels. The IRS also does not ask for PINs, passwords or similar confidential access information for credit card, bank or other financial accounts. Recipients should not open any attachments or click on any links contained in the message. Instead, forward the e-mail to phishing@irs.gov.”