This content is viewable by Everyone

Feb 2023: Phishing Attacks Distribute IRS Notice-Themed Lures

Threat Alert: What to Watch For

  • Cybercriminals have launched a series of phishing attacks using timely tax-themed lures. 
  • While the email from field says “Irs notice” and then the name of the organization, the sending address is a Madwire account.
  • The phishing emails contain an HTML attachment allegedly containing delivery details about a tax related USPS letter. Opening the attachment leads to a lookalike Microsoft login page designed to steal credentials. 
  • While the Microsoft login page may contain a targeted organization’s name or branding, the URL contains suspicious strings of numbers and letters.  

Key Action: Report Suspicious Emails

  • Report ANY suspicious emails using the Phish Alarm button in your email menu bar. 
  • Remember: Our organization occasionally sends phishing simulations that are used to evaluate the potential impact of a real phishing attack. Report any emails that match the tactics described above. 
  • If a reported message is a simulation, you will see a notification alerting you to that. No further action is needed on your part. 
  • If a reported message was not a simulation, and you are concerned about a time-sensitive request, you must take additional steps to verify the email is valid before acting on it. 

Tips to Remember (at Work and at Home)

  • Go beyond surface clues. Familiar logos, branding, and names are not automatic indicators that an email or website is safe. Cybercriminals often imitate well-known organizations.  
  • Verify the legitimacy of any unsolicited/unexpected email before you interact with it, especially if it directs you to click on a link or asks you to provide credentials. It can be tempting to click on a “call-to-action.” But if you notice a subtle change or inconsistency within a message, don’t ignore it—report it.
  • Remain alert to phishing indicators. Mismatches between sending addresses and an organization’s name are always warning signs, as are login pages that may contain organizational branding but have strange or unfamiliar URLs. Additionally, organizations misspelling or incorrectly styling their own names should always be considered a warning sign. 
Tax phishing lure indicators 1
Tax Phish Indicators 2