Page 1 of 1

Fake IRS Email

Posted: Sat Jun 25, 2011 6:50 pm
by wserra
Haven't seen this one before (received in one of the free accounts I use for things like MLM and TP mailing lists), complete with misspellings and grammatical errors.
Department of Treasury Internal Revenue Source

Important information about your tax return
We are unable to process your tax return

We recived your tax return. However, we are unable to process the return as field.

Our records indicate that the person identifiedas the primary taxpayer or spouse on the tax return did not provided all the required documents shown on the tax form. Our records are based on information received from the Social Security Administration.

Based on this information, the tax account for the individual has been locked

What you need to do

Print out the attached notification and list of missing documents, fill it in, add the documents and send the following information to the adress shown in the attached notification.

List of required documents:

1. A copy of this letter
2. Notification letter
3. A photocopy of valid U.S. Federal or State Government issued identification.

Keep this notice for your records. If you need assistance, please don't hesitate to contact us

A zip file was attached. While I am somewhat curious, I'm not about to open it.

The originating IP is
inetnum: -
netname: PLUSNET
descr: Polkomtel S.A.
descr: Warszawa
country: PL

Ah, that explains it. It's the Warsaw IRS office.

ETA: when I first posted this, I didn't notice the several more just like it in the account's Spam folder. They somehow got around the filter with this one. Anyway, it seems pretty sure that others have received it by now.

Re: Fake IRS Email

Posted: Sat Jun 25, 2011 7:21 pm
by Nikki
If you still have it, please forward it to TIGTA.

Re: Fake IRS Email

Posted: Sat Jun 25, 2011 7:54 pm
by Cathulhu
easy to do, just forward to

Re: Fake IRS Email

Posted: Sat Jun 25, 2011 8:32 pm
by wserra
Done. Thanks.

Re: Fake IRS Email

Posted: Thu Jun 30, 2011 12:02 am
by The Observer
The attachment was the payload for that e-mail. Apparently it was a type of keylogger program, called Zeus, that the hackers were hoping would benefit from the general terror caused by getting an message that looked like it was from the IRS.