Tax season is always ripe with attacks, ranging from the simple to the sophisticated.
This particular attack showcases a truly well-crafted and deceptive phishing email that exploits a form used by immigrants. The email, which was missed by ATP but caught by Avanan, spoofs a standard IRS email address to look more legitimate.
As a reminder, the IRS will never email or call first. They will only initiate correspondence via postal mail.
When a person checks the sender address and sees what looks like an IRS email address, they may feel relieved and start trusting the email. End-users have been trained to inspect the sender address. On first glance, that checks out.
Here's what the email looks like. Notice when you mouse over the sender address it has an irs.gov address:
There's a few interesting things of note here.
The “From” address is made to look legitimate, but further analysis shows that the actual sender is a domain from Indonesia.
Throughout, there are Non-ASCII characters to confuse natural language AI. See here:
In this snippet, you can see that they claim that, after you send in the first form, they will send you a W9095. This form does not exist, and has been used in past IRS-related phishing schemes.
There are also a number of grammatical errors throughout.
Additionally, the whole document has a sense of urgency to it—which is phishing 101—even asking the user to fax the completed document to the provided fax number.
The text in the body of the email has been around for a few years in various different versions, but what makes this email unique is the attachment. This is what what the attachment looks like:
The email attachment is a W-8BEN form. This form is legitimate, but it's not actually filed with the IRS. This particular version of the form has been modified to include one small detail: a malicious fax number. The attacker also included a PamFax.biz hyperlink that would further exploit any user who might already be logged into a PamFax account or may not know how to send a fax.
Avanan detected this email and quarantined it right away for a few key reasons:
- Sender had an insignificant historical reputation with this domain, meaning no one in the organization had previously communicated with the Indonesian domain. That makes it all the more suspicious when an unknown sender sends attachments with financial terms
- Avanan's Natural Language Processing AI detected keywords in the email that indicated that this was finance-related
- Avanan detected numerous non-ASCII characters in the body
- Avanan detected links present in the attachment
- There were various DMARC check fails