A top antivirus software purveyor issued a warning about a scam targeting taxpayers with false Internal Revenue Service (IRS) forms that lure people into downloading malware.
MalwareBytes, in a release, said it “found an email being sent out with the title of ‘IRS Tax Forms W-9’ which appears to have been sent from ‘IRS Online Center,’” But the email, which contains an attachment and very little text, has a “very suspicious” file.
If the user downloads the file, it will bring up a Word document that asks the user: “This document is protected Previewing is not available for protected documents. You have to press ‘enable editing’ and ‘enable content’ buttons to preview this document.” The form could be be sent as ZIP file containing a Word document, it said.
It noted that the file is more than 500 MB in size, an attempt by scammers to bypass email security tools.
“You won’t find many genuine Word documents weighing in at 500MB or more,” the report said. “In fact, a file size of 500MB is a potential indicator that Emotet is lurking in the background. Malware authors are artificially pumping up the size of the document in order to try and fool or break security tools. This is because the large file size may prove too difficult for the tools to get a handle on and properly analyze.”
Meanwhile, the IRS has said in numerous notices that it will never attempt to contact a taxpayer via telephone, text message, or email. Instead, the IRS says that it always opts to communicate through normal mail.
“Tax agencies have a proper process for issuing refunds, found on their websites. Some, like HMRC, are very clear that refunds are never issued by email. If in doubt, phone the tax office directly and ask if what you have is the real deal or a fake,” MalwareBytes said. “Some tax scams will ask you who you bank with, and then open up a phishing page for that bank. Always navigate directly to your banking website, click throughs and redirects typically spell danger.”
Other security researchers have said that people should look for grammar and spelling mistakes. Generally, scammers and hackers often made basic errors because some are from countries where English is not the native language. A legitimate email from a federal or state agency is not likely to contain mistakes.
A screenshot of the malicious email provided by MalwareBytes included grammatical and spelling errors: “Let me know if you would like a hard copy mailed as well. Respectifully [SIC] Barbara LaCosta” and listed her as the “inspector” of the “Department of Treasure.”
