How I (Almost) Fell for an IRS Scam Email

IRS SCAMWe read about it all the time: Malware that spreads by email through malicious attachments. It was one of the first ways malicious programs spread on the internet and new malware continues to use this method to spread for one simple reason – It works.

As someone who has been around and taught others how to avoid these kinds of scams for years, I like to think I’m pretty much immune to this kind of trickery. But an email we received today made me reconsider. I fell for an IRS scam email. Well, almost.

The incident started when a member of our support team asked me for help handling a serious looking email: “Hey, I’ve got a ticket that needs your or Carl’s attention. Probably Carl’s. It’s regarding taxes, and it’s actually from IRS.GOV

That sounds serious. I should probably see what’s going on. “Send it over to me.

He was right, the email did claim to be from the IRS. Hmm.


Subject: Your FED TAX payment ( ID : 79YIRS062755509 ) was Rejected

Gee, that looks important. An email from an address about a tax payment being rejected. I should probably pay attention to what it says.

The body of the email gave some more important sounding information:

Your federal Tax payment (ID: 79YIRS062755509), recently sent from your checking account was returned by the your financial institution.For more information, please download notification, using your security PIN 55178. Transaction Number: 79YIRS062755509

Payment Amount: $ 5410.00
Transaction status: Rejected

ACH Trace Number: 730273539869094
Transaction Type: ACH Debit Payment-DDA
Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785.

Uh oh. This seems serious. Looks like an automated message about a tax payment gone wrong. And the IRS doesn’t play around. Well, shoot, what do I do now?

Wait a minute. This email has an attachment too. That’s strange… Generally automated emails don’t come with ZIP files attached, especially about tax information.

2013-12-26 13_52_04-C__Users_Anthony.Patarini_Downloads_Dangerous

OK, this is starting to make sense now. But normally these scam emails look a little less professional. This one is kind of clever. OK, shields up!

Let’s see what’s in this ZIP file. (Kids, don’t try this at home.) I opened the file up in a virtual machine with no internet access. This allows me to handle dangerous files without much risk of infecting the rest of my computer or network.

2013-12-26 13_53_38-C__Users_Anthony.Patarini_Downloads_Dangerous_Tax payment

Inside the ZIP file is what appears to be a PDF file. That makes sense, I guess. You’d expect your tax information to come in a PDF file right. Wait. That icon looks a little off. I wonder what happens if you view the Properties of this file…

2013-12-26 13_54_23-Tax payment Properties

It’s a trap! As I’d suspected, there is more to this file than meets the eye. It’s not really a PDF file. It’s a program disguised as a PDF file. As soon as someone tries to open this file the program infects the computer, probably with some kind malware designed to steal bank account credentials and add any infected computers to a botnet.

There are a few things that can be learned from this situation:

1. Scammers can fake the sending address of their emails

The email I received said it was sent by someone at In reality, someone just faked the identifying information on the email to make it look like it came from the IRS.

2. Don’t trust unexpected attachments

Unless you’re expecting an email with an attachment from someone, don’t open email attachments if you can possibly avoid it. Malware authors have gotten very good at hiding malicious code.

3. Keep your antivirus and antispyware software up to date, but don’t assume it’s invincible!

After doing a little more research, it looks like we’re not the only ones who received this email. It just started spreading today, and at the time I started writing this only 3 or 4 anti-virus programs detected this file as dangerous. I’m sure that number has grown dramatically by the time you’re reading this. But if I’d actually opened that attachment and run the program, my antivirus program wouldn’t have caught it. This malware was so new that antivirus companies hadn’t had a chance to update their programs to detect it yet! Keep yourself and your computer safe, don’t open attachments!

0 replies

Leave a Comment

Leave a Reply

Your email address will not be published.