IRS scam tricking thousands via social engineering

One of the oldest tricks for criminals that utilize social engineering is impersonating government officials. Acting as representatives of agencies like Social Security, the FBI, the IRS, and others, countless people fall victim to this classic phishing tactic. This remains true today as a new report from the security research team at Akamai indicates. In a blog post, Or Katz details a recent IRS scam that raised suspicion among researchers primarily because it was an "out of season" attack. Typically, when IRS impersonators go after victims, they pursue them prior to the tax season deadline. Instead, however, this particular social engineering campaign was discovered to hit peak activity in August.

As the report states, the social engineering phishing campaign targets the usual information sought out in these crimes (banking data, passwords, credit card information, and Social Security numbers). The attacks are carried out against websites that have been compromised and made to look like legitimate IRS landing pages. Akamai explains this in more detail:

According to Akamai’s research, this campaign used at least 289 different domains and 832 URLs over 47 days. The same fake IRS login page was used in each instance. Moreover, according to Akamai’s visibility into global network traffic, the campaign targeted over 100,000 victims worldwide... A closer look into the content of each domain... reveals that they had identical visual cues. This means the basic look of the IRS website is the same, but it’s clear the threat actors are customizing parts of each page. This evasion technique is used with the hope that the landing page itself will remain undetected by security vendors using signature detection to spot phishing attempts... Some of the content changes looks as if was randomly generated, meaning an automatic process was involved in the content generation.

This IRS scam is a cut above simple social engineering as the criminals behind the phishing campaign clearly have extensive programming knowledge and understand security countermeasures. Though the researchers at Akamai have learned a great deal about the attackers’ methodology, they still have yet to uncover the identities of the perpetrators. Considering that the campaign appears to still be active, there is always the possibility of new information being discovered.

Featured image: Flickr /

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Diebold Nixdorf ATMs targeted by jackpotting attacks

ATM manufacturer Diebold Nixdorf says its European machines are being hit by jackpotting attacks, where…

2 hours ago

Allow a home computer to connect to your Azure SQL server/database

In these days where remote computing has become crucial, you can connect your home computer…

5 hours ago

Migrating to Microsoft 365? Get the ball rolling with a trial tenant

Many companies still using Exchange Server are thinking of moving to Microsoft 365. You can…

8 hours ago

wpDiscuz WordPress plugin: Critical vulnerability found and patched

Users of the wpDiscuz interactive comment WordPress plugin should implement a new patch as soon…

1 day ago

Data lifecycle management: Policies and procedures for security and compliance

With the amount of electronic information consistently growing, data lifecycle management is crucial for compliance…

1 day ago

Deploy Windows from the cloud to on-premises hardware? Yes, you can

Wouldn’t it be nice if you could deploy Windows from the cloud while sipping an…

4 days ago