The US Internal Revenue Service (IRS) is warning of ongoing phishing attacks impersonating the IRS and targeting educational institutions. Threat actors use tax refund payment baits and mainly focus on universities’ staff and students with .edu email addresses.

The IRS’ phishing@irs.gov has received complaints about the impersonation scam in recent weeks from people with email addresses ending in “.edu.” The phishing emails appear to target university and college students from both public and private, profit and non-profit institutions.


The phishing attack was spotted earlier this month by Abnormal Security researchers who believe the hackers bypassed Office 365 security and successfully targeted 5,000 to 50,000 mailboxes.


A link embedded within the email reads “Claim your refund now”. By clicking on it, recipients are redirected to the attacker’s landing page. Here they are asked to fill out a form that attackers can then use to commit fraud.

The phishing website requests taxpayers provide their:

  • Social Security number
  • First Name
  • Last Name
  • Date of Birth
  • Prior Year Annual Gross Income (AGI)
  • Driver’s License Number
  • Current Address
  • City
  • State/U.S. Territory
  • ZIP Code/Postal Code
  • Electronic Filing PIN


This impersonation is very convincing as the attacker’s landing page is identical to the IRS website including the popup alert that states “THIS U.S. GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY”, which also appears on the official IRS website.

The IRS urges taxpayers who believe they may have been victims of a phishing attack to immediately obtain an Identity Protection PIN, which is a six-digit number that helps prevent identity thieves from filing fraudulent tax returns in the victim’s name.

Anyone who tries to e-file their tax return and has it rejected because a return with their Social Security number has already been filed should file a Form 14039 to report the possible identity theft. See the IRS’s Identity Theft Central website for more information about the signs of identity theft and actions to take.

Heimdal Official Logo
Your perimeter network is vulnerable to sophisticated attacks.

Heimdal® Threat Prevention - Network

Is the next-generation network protection and response solution that will keep your systems safe.
  • No need to deploy it on your endpoints;
  • Protects any entry point into the organization, including BYODs;
  • Stops even hidden threats using AI and your network traffic log;
  • Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

According to security technologist Bruce Schneier,

Identity theft is the new crime of the information age. A criminal collects enough personal data on someone to impersonate a victim to banks, credit card companies, and other financial institutions. Then he racks up debt in the person’s name, collects the cash, and disappears. The victim is left holding the bag. While some of the losses are absorbed by financial institutions — credit card companies in particular — the credit-rating damage is borne by the victim. It can take years for the victim to clear his name.


Once identity theft occurs, it is extremely difficult to recover the information that cybercriminals have stolen. Many times, you aren’t even aware of how or when it happened.

That’s why it’s always better to take proactive security measures, that will prevent fraudsters from stealing your personal details and information. It’s easier to play it safe instead of only react once the damage is done and it’s too late to keep it under control.

How to Prevent Identity Theft With 20 Essential Steps [Updated 2023]

Tsao vs. Captiva: “Risk of Identity Theft” Theory Rejected

Leave a Reply

Your email address will not be published. Required fields are marked *