Campaign Targets Nonresidents with Fake IRS Email
While the fall might seem like a peculiar time to receive emails from the Internal Revenue Service (IRS), researchers at Fortinet have discovered a phishing campaign claiming to be from the IRS but reportedly sent from a server originating in Italy.
The campaign appears to be targeting nonresident aliens, as the fraudulent email is titled “2018 UPDATE: NON RESIDENT ALIEN TAX WITHHOLDING.” The FortiGuard SE team suspects that the intended targets are those who requested a six-month extension on filing their income taxes back in April.
Below is an image of the highly sophisticated and convincing email from the phisher.
“The formal language and basic template (full of lengthy descriptives, no graphics, and no links) mimics a document issued by a government agency, and the form labeled 'W-8BEN Form.PDF' masquerades as an official W-8BEN document from the IRS, which according to Wikipedia is a document used by foreign persons (including corporations) to certify their non-U.S. status,” researchers wrote.
While at first glance, the email seems legitimate, there are grammatical issues and spelling errors that should give readers pause. Unfortunately, because the targets of this campaign are nonresident aliens, English may not be their native tongue, making the less-obvious errors in this message – such as the incorrect name of the agency, Department of the Treasury – difficult to spot, even for U.S. citizens.
Researchers did find that the attached PDF file is free of any embedded executables but noted that the IRS has never sent any official documents via email. Because the attached form contains random spaces and miscellaneous punctuation marks, researchers believe that the PDF was scanned and manipulated.
“While this document states that its last revision was February 2018, the look and feel is not that of a digital document (specifically those found on IRS.gov). Finally, the fonts are mismatched on the form, especially the “FAX TO: 1 877 917 3730” direction at the bottom, which is colored in blue and is in a different font style and size. This is another dead giveaway for this poorly crafted campaign,” researchers wrote.
Source: Information Security Magazine