top of page

Beware of new fake IRS tax emails delivering malware

Happy Friday!

Tax season is upon us and as you might expect, the scammers are at it again, even more than last year.

One of the latest tax scams reported this week by Malwarebytes Labs narrows its focus on using an IRS W-9 tax form as bait.

The emails typically have a short subject line such as "IRS W-9 Tax Form", a zip file attachment and a one-line body such as "Let me know if you would like a hard copy mailed as well."

If the lure gets you to successfully open the attachment, it's bad news. There's a Microsoft Word doc in there with a malicious script macro that will download the Emotet trojan onto your system.

Emotet has been around since 2014. Originally created as a banking trojan which has since evolved to perform malware and spam delivery. Have you ever received a fake shipping or invoice email? That's likely Emotet in action.

Emotet is considered one of the top five cyberthreats businesses will face in 2023. Flagged by Europol as "The world's most dangerous malware" law enforcement has never quite been able to shut it down permanently despite its entire global infrastructure being taken offline in 2021.

The Takeaway

Scary stuff right? The good news is that you have all you need to keep you and your company safe from these IRS scams. Some simple preparation and common sense goes a long way. Here are my top 3 tips to avoid becoming a victim:

1. Be suspicious of refunds. Tax agencies have a proper process for issuing refunds which can be found on their websites. If in doubt, phone the tax office directly and ask if the email is fake or the real deal.

2. Look out for fake bank portals. Some tax scams will ask you who you bank with, then open up a fake phishing page for that bank. Always navigate directly to your banking website - click throughs and redirects are warning signs.

3. High pressured pitches are a red flag. Tax scammers like to hurry you along to data theft and malware installs. Claims of only having 24 or 48 hours to file for a refund should be treated with a high degree skepticism.

If you come across any of these tactics and if something smells fishy, it probably is. Contact the tax entity directly to double check the notice.

Stay safe out there.


Just Released: Cyber Secured Podcast

Highlights include AI and ChatGPT's impact on cybersecurity, compliance and employee training. View or listen at:


bottom of page