Universities Targeted in Ongoing IRS Phishing Attacks
The Attacker Impersonated the IRS by Sending an Automated Email Informing Applicants That They Are Eligible For a $1,400 Tax Refund.
The US Internal Revenue Service (IRS) is warning of ongoing phishing attacks impersonating the IRS and targeting educational institutions. Threat actors use tax refund payment baits and mainly focus on universities’ staff and students with .edu email addresses.
The IRS’ email@example.com has received complaints about the impersonation scam in recent weeks from people with email addresses ending in “.edu.” The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions.
The phishing attack was spotted earlier this month by Abnormal Security researchers who believe the hackers bypassed Office 365 security and successfully targeted 5,000 to 50,000 mailboxes.
A link embedded within the email reads “Claim your refund now”. By clicking on it, recipients are redirected to the attacker’s landing page. Here they are asked to fill out a form that attackers can then use to commit fraud.
The phishing website requests taxpayers provide their:
- Social Security number
- First Name
- Last Name
- Date of Birth
- Prior Year Annual Gross Income (AGI)
- Driver’s License Number
- Current Address
- State/U.S. Territory
- ZIP Code/Postal Code
- Electronic Filing PIN
This impersonation is very convincing as the attacker’s landing page is identical to the IRS website including the popup alert that states “THIS U.S. GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY”, which also appears on the official IRS website.
The IRS urges taxpayers who believe they may have been victims of a phishing attack to immediately obtain an Identity Protection PIN, which is a six-digit number that helps prevent identity thieves from filing fraudulent tax returns in the victim’s name.
Anyone who tries to e-file their tax return and has it rejected because a return with their Social Security number has already been filed should file a Form 14039 to report the possible identity theft. See the IRS’s Identity Theft Central website for more information about the signs of identity theft and actions to take.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
According to security technologist Bruce Schneier,
Identity theft is the new crime of the information age. A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies, and other financial institutions. Then he racks up debt in the person’s name, collects the cash, and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions — credit card companies in particular — the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.
Once identity theft occurs, it is extremely difficult to recover the information that cybercriminals have stolen. Many times, you aren’t even aware of how or when it happened.
That’s why it’s always better to take proactive security measures, that will prevent fraudsters from stealing your personal details and information. It’s easier to play it safe instead of only react once the damage is done and it’s too late to keep it under control.