IRS scam tricking thousands via social engineering

One of the oldest tricks for criminals that utilize social engineering is impersonating government officials. Acting as representatives of agencies like Social Security, the FBI, the IRS, and others, countless people fall victim to this classic phishing tactic. This remains true today as a new report from the security research team at Akamai indicates. In a blog post, Or Katz details a recent IRS scam that raised suspicion among researchers primarily because it was an "out of season" attack. Typically, when IRS impersonators go after victims, they pursue them prior to the tax season deadline. Instead, however, this particular social engineering campaign was discovered to hit peak activity in August.

As the report states, the social engineering phishing campaign targets the usual information sought out in these crimes (banking data, passwords, credit card information, and Social Security numbers). The attacks are carried out against websites that have been compromised and made to look like legitimate IRS landing pages. Akamai explains this in more detail:

According to Akamai’s research, this campaign used at least 289 different domains and 832 URLs over 47 days. The same fake IRS login page was used in each instance. Moreover, according to Akamai’s visibility into global network traffic, the campaign targeted over 100,000 victims worldwide... A closer look into the content of each domain... reveals that they had identical visual cues. This means the basic look of the IRS website is the same, but it’s clear the threat actors are customizing parts of each page. This evasion technique is used with the hope that the landing page itself will remain undetected by security vendors using signature detection to spot phishing attempts... Some of the content changes looks as if was randomly generated, meaning an automatic process was involved in the content generation.

This IRS scam is a cut above simple social engineering as the criminals behind the phishing campaign clearly have extensive programming knowledge and understand security countermeasures. Though the researchers at Akamai have learned a great deal about the attackers’ methodology, they still have yet to uncover the identities of the perpetrators. Considering that the campaign appears to still be active, there is always the possibility of new information being discovered.

Featured image: Flickr /

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

WordPress vulnerability puts 300,000 at risk for attack

A WordPress vulnerability that could affect 300,000 users has been identified and patched. By if admins don’t update, they remain…

2 hours ago

PowerShell jobs — because you have better things to do than wait

If you run PowerShell commands that take a while to complete, consider using PowerShell jobs, which will allow the command…

5 hours ago

Validating virtual networks rules in a Storage Account using PowerShell

Here’s a TechGenix Quick Tip on how to use PowerShell to retrieve a list of virtual network rules in a…

21 hours ago

Dell launches selection of new PCs, displays, and software

A line of new Dell PCs, with innovative tech capabilities like AI and 5G, are aimed at both personal and…

1 day ago

Exchange 2010 upgrade: Migrate or export mail to PST and start fresh?

If you’re on Exchange 2010, you will have to upgrade soon. And while starting from scratch with a new 2016…

1 day ago

How to repair PST files and import data back to Outlook or Office 365

If your business relies on Outlook, you can’t risk losing mailbox data because of PST files corruption. Here’s how to…

4 days ago