Cybersecurity, Phishing Attacks from IRS Lookalike

Malicious messages, known as phishing emails, are taking advantage of tax season and COVID-related concerns.

During the coronavirus pandemic, cybercriminals have exploited public interest in COVID-related concerns. This is the case with recent email attacks that mimic the Internal Revenue Service (IRS) brand and promise access to COVID-19 aid. Attackers know that many people are anticipating financial relief measures. Malicious messages, known as phishing emails, are taking advantage of the public’s heightened interest in this topic.

How to Protect Yourself

Cybercriminals are actively using IRS- and coronavirus-themed phishing attacks to target recipients at work and at home. These tips can help you stay safe:
  • Familiar logos and branding make phishing attacks look like legitimate emails. Look at emails carefully. It’s easy for attackers to design emails that look safe and legitimate at first glance.
  • Look for misspellings and poor grammar. The email example noted above contains multiple mistakes. This is a clear indication that the email is malicious.
  • Don’t click “Enable content” or “Enable macros” in any file unless you confirm that it is safe.
  • Check whether an unsolicited/unexpected email is legitimate before you interact with it, especially if the IRS or COVID-19 is mentioned in any way.
  • Update your software applications and your operating system (OS) if they aren't on the most recent versions.
Please report any suspicious emails to report-spam@illinois.edu. If you have clicked on any suspicious links or suspect that your machine has been infected with malware, send a message to security@illinois.edu right away.

About the Attack

Below is an example of a recent phishing email used in a two-step attack designed to spread malicious software, also known as malware. This malware, once downloaded, can steal personal banking information and credentials (email addresses and passwords).
The example shown in Image 1 below (partially disguised for privacy and safety) includes the IRS logo to establish credibility, and it appears to come from the “IRS Rescue Plan Dept.” It sometimes uses the subject line “IRS Rescue Plan Act,” but it uses these subject lines too:
  • Joe Biden Rescue Plan Act
  • IRS Rescue Plan Form
  • President's Rescue Plan Act
Phishing email from IRS Rescue Plan Act
Image 1: Phishing email example

Clicking the “Get apply form” button in this example causes an Excel file to appear. As shown in Image 2, the file includes a prompt to “Enable content,” which triggers a malware infection.
Phishing Excel file that asks you to enable content
Image 2: Excel file prompt, which leads to malware

Resources