Phishing Example: IRS Service "Important Update"

January 15, 2016

What makes this a Phishing message?

This is not a very convincing phish, but the attached document (not included) contained malware that would infect a computer if opened - even if clicked on accidentally.  The only recourse in that situation is to rebuild the system.  Avoid opening attachments from unknown sources at all costs.

Here are some of the red flags that indicate this is a phish:

  • The message is purportedly from the IRS, but the sender address contains a generic "services.com" domain name
  • The sender assumes the recipient will receive a tax refund, but how would they know if taxes are owed or a refund is due?  This is an obvious ploy to entice the user to click, so they make sure they get their "refund"

Original Message:

Subject: Important Update
From: IRS Service <irs@services.com>
Date: 1/15/2016 2:58 PM
To: "<"<irs@services.com>

As we prepare to start the 2016 Tax filling season, we have undergone slight changes in the filling process to make filling for your refund easier and to prevent unnecessary delays.
Part of the changes include updating our database with your information.
Please ensure to carefully complete this verification to avoid hitches in processing your refund.
We have sent you an attachment, open it and follow the steps to verify your profile.

Warning:  The links and email addresses included in these messages are from real-life examples, do not attempt to explore them.

The most dangerous links have been removed - you can hover your cursor over these links to see the original address in a pop-up techtip (instead of in the corner of the browser window).

Report suspected phishing emails to consult@berkeley.edu (link sends e-mail) (link sends e-mail) (link sends e-mail).  Be sure to include the entire text of the message, including the email header.