IRS Notice of Underreported Income Phishing E-Mail
One of our employees who prepares taxes received the following e-mail at work. The e-mail purports to be from the IRS and has a return address of "Internal Revenue Service" at firstname.lastname@example.org. Much like anything that comes from the IRS, our employee took notice of this, but was vigilant enough to feel that the e-mail smelled fishy. The e-mail was delivered to one employee, but the address referenced another employee, was delivered from the internet with the "high importance" flag set, and the IRS never sends a clear text link to individual specific tax information.
A sanitized version (where I removed the name that the e-mail ostensibly addressed and the link to the nasty site) of the text of the message is below:
Taxpayer ID: name.redacted-00000174073547US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):
review tax statement for taxpayer id: name.redacted-00000174073547US
Internal Revenue Service
From within Outlook, if you right-click on the suspect message and pull up "options," you will get the "Internet Headers" of the e-mail message - these will tell you where the e-mail really came from.
In the case of our e-mail, the pertinent information was the "Received: from" line:
Received: from 6.83-213-46.dynamic.clientes.euskaltel.es (6.83-213-46.dynamic.clientes.euskaltel.es [184.108.40.206])
If this was a valid e-mail from the IRS, the address would have resolved back to the irs.gov domain (just as the spoofed return address claimed to do). In this case, the e-mail appears to be from a spambot computer located on the euskaltel.es ISP.
Checking out the link in the e-mail, the link was to: www.irs.gov.nyusa2b.eu/fraud_application/ - most definitely a phishing site. Although the front of the address looks like an irs.gov site, the nyusa2b.eu is the actual domain where the site is located.
This e-mail is a good example of why you should be, at the minimum, suspicious of any e-mail that claims to need immediate action or tries to scare you into the action of going to a website.
More information on this phishing e-mail can be found at snopes.com.
If you receive such a phishing e-mail, the IRS has instructions on how to report it. Please note that this is a TinyURL redirector because the IRS uses URL's that interfere with the tsbbank.com leaving this page warning. The real URL of the IRS Phishing Report page is http://www.irs.gov/privacy/article/0,,id=179820,00.html