IRS Impersonation Attack

Fake IRS Tax Forms

This week, AbnormalSecurity reported an attack on an estimated 15-50 thousand email inboxes with a phishing attack. The attack’s purpose was to gain personal information that would allow hackers to perform ID theft or tax refund fraud. This phishing attack had victims completing a W-8BEN tax form from the IRS as a PDF attachment. However, when compared to the W-8BEN tax form on the IRS website, the form in the email asks for much more personal information.  Enough information to steal their identity.

The email appeared to originate from “”, however, a simple check of the sender’s email address revealed a spoofed (faked) message. CyberHoot investigated and determined no-one can send an email directly from this domain except the IRS. All phishing attack messages supposedly from the are easily identified by checking the sender carefully. 

The email attack instructed recipients (below) to fill out the W-8BEN form to maintain their non-resident tax exemption status. Although this seems to target non-US citizens, the attack widened its audience by noting that US citizens must indicate their citizenship on the form and return it filled out. The attack concluded by instructing the recipient to fax the form, along with a copy of their passport, to the provided fax number.

The phishing emails contained a PDF attachment that appears harmless, not containing malware or suspicious links that phishing emails may have (typically caught by email security solutions). The attached form (above) asked for personal information like date of birth, passport number, bank information, insurance information, etc. By sending the completed form, victims would be handing out personal information to criminals that could ultimately lead to identity theft and credit fraud.

What Can You Do To Stay Secure?

IRS IP PIN Protection

Last week the IRS announced that in January 2021 taxpayers can apply for an Identity Protection Personal Identification Number (IP PIN):

  • It’s a single-use code designed to block identity thieves from fraudulently submitting a tax return in your name and collecting your tax refund; a long-overdue security improvement to the US tax system
  • Everyone should use the ‘Get an IP PIN‘ tool at when the portal opens in Mid-January
  • CyberHoot recommends all adopt this new security measure to reduce tax refund fraud

Phishing emails have tell-tale signs you can use to quickly and confidently identify them and delete them before they take advantage of you. Ask yourself these questions before proceeding. Was the email:

  1. Unexpected
  2. From a strange email address
  3. Generically addressed (Dear Ma’am, Dear Sir)
  4. Contain spelling, grammar, and punctuation mistakes
  5. Have strange-looking links where you can’t tell what website you’re going to (i.e.:, TinyURL,
  6. Urging you to take critical immediate action of any kind
  7. Contain an attachment you are compelled to open which may contain malware, or in this IRS Fraud case, seek to collect Non-Public Personal Information (NPPI).
  • Password managers refuse to log you into a phishing attack website if you accidentally click on a fake IRS email.
  • Password managers help you eliminate password reuse. A leading cause of account breaches where hackers reuse a stolen password from website A on website B.
  • Password managers help you choose random, long passwords and eliminate typing them in when authenticating at websites, speeding up your shopping experience. 
LOCK access by anyone to your Credit scores

With all forms of identity theft that leads to credit fraud, hackers must have access to your credit scores. Otherwise, no bank can issue credit in your name to the hacker. Therefore, as CyberHoot has often written about, you must lock your credit scores from any inquiries at all four credit agencies as outlined here.

To learn more about the IRS PIN, watch this short 5 minute video:

Share this on your social networks. Help Friends, Family, and Colleagues become more aware and secure.