IRS Phishing Scam Used to Spread Keylogging Malware

Taxpayers and business have been warned of a new IRS phishing scam being used to spread keylogging malware. 

The hackers design the emails to appear as though the IRS is reminding taxpayers and tax professionals to an issue their electronic tax returns. The emails include a link which the user is invited to click to access information about their tax refund.

The hyperlink directs the user to a webpage of the hacker’s creation that mimics the website. A one-time password is provided in the email which the user needs to enter when logging in to the fake site to ‘confirm their identity’.

The user is told they must download a file containing their tax information. Unsuspecting users who download the file unwittingly install keylogging malware onto their device. 

Keylogging malware records keystrokes to harvest login credentials. With these credentials, a hacker could commit serious identity fraud and take control of the user’s accounts or device.

Security researchers have identified two different email headlines that hackers are using in this campaign: “Automatic Income Tax reminder” and “Electronic Tax Return Reminder.” Users should be wary of any emails with headlines identical or similar to this. 

The hackers have created several different spoof-IRS URLs for the campaign. The IRS has taken steps to shut down the known malicious URLs. However, stopping the campaign is challenging due to the number of URLs and compromised websites being used in this campaign.

The IRS has issued an official warning to taxpayers over the danger of such phishing emails. In its warning, they reiterated that the IRS never initiates contact with an individual by email, text message, or social media networks. They also remind users that the IRS never asks for sensitive information such as credit card information, passwords, or PINs to be disclosed via email. Should a user receive an email or other communication asking for this information, it is likely to be a scam email. 

The IRS does demand payment of taxes but does not demand immediate payment using a specific payment method such as a wire transfer or gift card.

If a suspicious email is received that claims to have been sent from the IRS and includes a request for personal information, do not click any links in the email. Instead, forward the message to

Hackers often craft their design their emails to appear as though they are from the IRS during tax season. This campaign shows that taxpayers and tax professionals always need to be on their guard and alert to the threat of phishing attacks.