IRS warns of “Tax Transcript” email scam; dangers to business networks

The IRS and Security Summit partners have issued a warning about a surge of fraudulent emails impersonating the IRS and using tax transcripts as bait to entice users to open documents containing malware.

The scam is especially problematic for businesses whose employees might open the malware, because it can spread throughout a network and potentially take months to remove.

The malware, known as Emotet, generally poses as specific banks and financial institutions to trick people into opening infected documents. It recently has pretended to be from “IRS Online.” The scam email carries an attachment labeled “Tax Account Transcript” or something similar, and the subject line uses some variation of the phrase “tax transcript.”

These clues can change with each version of the malware. Scores of these malicious Emotet emails were recently forwarded to phishing@irs.gov.

The IRS does not send unsolicited emails to the public, nor would it email a sensitive document such as a tax transcript. The service urges taxpayers not to open such emails or attachments. If using a personal computer, delete or forward the scam email to phishing@irs.gov. If you see these using an employer’s computer, notify the company’s technology professionals.

The United States Computer Emergency Readiness Team (US-CERT) issued a warning in July about earlier versions of the Emotet in Alert (TA18-201A) Emotet Malware.

US-CERT has labeled the Emotet Malware “among the most costly and destructive malware affecting state, local, tribal and territorial (SLTT) governments, and the private and public sectors.”