The Internal Revenue Service (IRS) has issued a warning to U.S. taxpayers and tax professionals about a new nationwide phishing campaign that is spreading keylogging malware.
The emails appear to have been sent by the IRS and alerts taxpayers and tax professionals to an issue with their electronic tax returns. Users are required to click the link in the email to access information about their tax refund.
The emails include a hyperlink that directs the user to a webpage that closely resembles the IRS.gov website. A one-time password is provided in the email which the user needs to enter when logging in to confirm their identity.
The user is told they must download a file containing their tax information. Downloading the file will install malware on the user’s device. The malware is capable of logging keystrokes and obtaining login information, which could lead to the attacker taking full control of an infected device.
Two subject lines have been detected in this campaign: “Automatic Income Tax reminder” and “Electronic Tax Return Reminder.” Several IRS-themes URLs are being used in this campaign. While the IRS has taken steps to shut down the malicious URLs, it is proving to be a challenge due to the number of URLs and compromised websites being used in this campaign.
It its warning, the IRS explained that contact is never initiated by email, text message, or social media networks and that the IRS never asks for sensitive information such as credit card information, passwords, or PIN numbers to be disclosed via email.
The IRS does demand payment of taxes but does not demand immediate payment using a specific payment method such as a wire transfer or gift card.
If a suspicious email is received that claims to have been sent from the IRS and includes a request for personal information, do not click any links in the email. Instead, forward the message to [email protected].
IRS-themed phishing emails are common during tax season, but this campaign shows that taxpayers and tax professionals always need to be on their guard and alert to the threat of phishing attacks.