A Look at an IRS Email Scam

A client of ours arrived at work to discover an email from the IRS in her inbox.  Concerned about it's legitimacy she contacted us.  Below is a copy of the email.

The first hint that this is fake, for those who haven't heard the IRS announcements that they will never email you, is the email was in her Junk mail. Typically important / legitimate emails don't get routed directly to the Junk mail box.  Sure it happens occasionally, but it's certainly an easy first test of legitimacy.

As per their MO we see the scammers are hoping to work on people's fear instead of common sense, with the last line being the threat of "Failure to comply..."

Upon opening the HTML page, the victim is routed to a submission form with all the juicy details everyone in the identify theft business is dying to get their hands on.  Social security number, first and last name, date of birth, address and all of this for both you and a spouse when applicable.  For anyone who hit submit, consider your identity stolen.  

Beyond the numerous IRS bulletins that they won't email you, take a look at the sending email address, sure it says "This email address is being protected from spambots. You need JavaScript enabled to view it.", but next to it in the <> can sometimes be the actual address it's sending from, this is not always the case, but is a good quick check when you're unsure of an email.  In this case you see "<This email address is being protected from spambots. You need JavaScript enabled to view it.>".  That should stand out for two reasons, one the two addresses don't match and two the <> address isn't a .GOV email address.  

So who is enta.net? This is one of our favorite questions when a scam email comes in; has someone had their password compromised or is their email address being spoofed?  Enta.net is an ISP located in Shropshire UK and the IP address that sent the email is allocated through RIPE, which is the European version of ARIN - American Registry for Internet Numbers.  So if you weren't certain before that this is a scam, there is certainly not a European IRS office needing all your personal information.

Finding this email and it's origins interesting, we looked further into email headers, we find that the email passed authentication based on domain name and sending IP address.  And now you're thinking can't you just speak English?!?!  Basically what that means is that this is not spoofed, but those involved have likely compromised a password.  There are other options, but we'll keep it simple here.  

This brings up an important point about your identity and online scams, while some are domestic most are International.  If you've stopped to consider how difficult it is for police to deal with crimes from one state to another now imagine the International issues.  That is not us championing any kind of world police, rather a desire to see people better educated on the dangers out on the Internet and to ask everyone to always ere on the side of caution rather than entering vital person information into a website without a second thought.

Facebook Twitter Google+ Pinterest

Leave a comment


Log in