The IRS is being impersonated by scammers in an email making the rounds and using “tax transcripts” as bait to entice people to open attachments laced with malware.
In its newswire IR-2018-226, the IRS and Security Summit partners warned that the scam is particularly troublesome for businesses whose employees might open the malware, known as Emotet, since it can spread throughout a company’s network and take months to remove successfully.
Emotet usually masquerades as specific banks and financial institutions in trying to trick people into opening infected documents. This is not the first appearance of Emotet, but what’s new is its guise as the IRS. It pretends to be from “IRS Online,” and contains an attachment labeled “Tax Account Transcript” or something similar. The subject line uses some variation of the phrase “tax transcript.”
These particular giveaways can change, however, with each new version of the malware, and the IRS says that “[s]cores of these malicious Emotet emails were forwarded to firstname.lastname@example.org recently.”
Back in July, the U.S. Computer Emergency Readiness Team (US-CERT) issued a warning about earlier versions of Emotet in Alert (TA18-201A) Emotet Malware.
In addition, US-CERT has labeled the Emotet Malware “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”
The IRS reminds taxpayers in its report that it does not send unsolicited emails to the public. It also would not email a sensitive document such as a tax transcript, which is a summary of a tax return.
Taxpayers who receive a copy of Emotet on their personal computers are urged not to open the email or the attachment, but to delete it or forward the email to email@example.com. If Emotet comes in on an employer’s computer, workers are urged to notify the company’s technology professionals.