Skip navigation.
Home
You'll Feel Right At Home

IRS Notice of Underreported Income Phishing E-Mail

One of our employees who prepares taxes received the following e-mail at work.  The e-mail purports to be from the IRS and has a return address of "Internal Revenue Service" at no-reply@irs.gov.  Much like anything that comes from the IRS, our employee took notice of this, but was vigilant enough to feel that the e-mail smelled fishy.  The e-mail was delivered to one employee, but the address referenced another employee, was delivered from the internet with the "high importance" flag set, and the IRS never sends a clear text link to individual specific tax information.

A sanitized version (where I removed the name that the e-mail ostensibly addressed and the link to the nasty site) of the text of the message is below:


Taxpayer ID: name.redacted-00000174073547US
Tax Type: INCOME TAX
Issue: Unreported/Underreported Income (Fraud Application)
Please review your tax statement on Internal Revenue Service (IRS) website (click on the link below):

review tax statement for taxpayer id: name.redacted-00000174073547US 


Internal Revenue Service


From within Outlook, if you right-click on the suspect message and pull up "options,"  you will get the "Internet Headers" of the e-mail message - these will tell you where the e-mail really came from.

In the case of our e-mail, the pertinent information was the "Received: from" line:


Received: from 6.83-213-46.dynamic.clientes.euskaltel.es (6.83-213-46.dynamic.clientes.euskaltel.es [83.213.46.6])


If this was a valid e-mail from the IRS, the address would have resolved back to the irs.gov domain (just as the spoofed return address claimed to do).  In this case, the e-mail appears to be from a spambot computer located on the euskaltel.es ISP.

Checking out the link in the e-mail, the link was to:  www.irs.gov.nyusa2b.eu/fraud_application/  - most definitely a phishing site.   Although the front of the address looks like an irs.gov site, the nyusa2b.eu is the actual domain where the site is located. 

This e-mail is a good example of why you should be, at the minimum, suspicious of any e-mail that claims to need immediate action or tries to scare you into the action of going to a website. 

More information on this phishing e-mail can be found at snopes.com.

If you receive such a phishing e-mail, the IRS has instructions on how to report it.  Please note that this is a TinyURL redirector because the IRS uses URL's that interfere with the tsbbank.com leaving this page warning.  The real URL of the IRS Phishing Report page is http://www.irs.gov/privacy/article/0,,id=179820,00.html