Tax season is ripe with social engineering schemes designed to steal tax information, including W-2 personally identifiable information (PII), dates of birth, bank account or credit card numbers, and driver’s license numbers. The NJCCIC recently observed attempts to deliver phishing emails to NJ state employees impersonating the Internal Revenue Service (IRS). The threat actors use display name spoofing to portray that the message is sent from “IRS pay.service[@]irs[.]net;” however, the actual sender’s email address is “www-data[@]woyo[.]com.” The emails claim that the recipient has an unpaid tax balance, and a delay in payment will result in fees and legal action. An included link likely leads to a webpage asking for PII, such as Social Security numbers and payment card details, to pay the supposed tax balances. If this information is submitted, it will be stolen by the threat actor behind the phishing campaign.

Recommendations

• Beware of communications purporting to be sent from the IRS. The IRS does not contact individuals by phone, email, or text message to solicit information or money. Instead, the IRS sends notices and bills through postal mail.
• Exercise caution with communications. Do not divulge sensitive information via phone, email, or text message without verifying the requestor via a separate means of communication before taking any action.
• Navigate directly to official official and verified websites by typing the legitimate URL into the browser instead of clicking on links in messages, and refrain from entering login credentials, personal details, and financial information on websites visited via links delivered in messages.