Tax Time is Phishing Time: Here’s How to Help!

Share Now



The IRS has a very active security team, currently part of the U.S. Treasury Inspector General for Tax Administration (TIGTA), that is responsible for fighting phishing and tracking down the criminals who prey on U.S. tax payers.  If you believe you have received a Phishing email, please help them by reporting the email you received to [email protected].  Additionally, please also consider sending a copy to our team.  PhishMe Brand Intelligence automatically processes any URLs found in emails sent to [email protected] (not just IRS phish – we love gathering global intelligence on all phish).

PhishMe Brand Intelligence has been looking at IRS phishing incidents since 2012, but the beginning of 2016 has broken all records for IRS phishing.  Because many phishing sites use a customized URL for every visitor, we’ve developed a chart that demonstrates the number of phishing attacks by showing a count of unique host names on a given day that spoofed the IRS.

As an example, if was seen 100 times on January 1st and twenty times on January 2nd, it would be counted as “2” in the chart below because we received reports for that host one two different days.

Tax Time Phishing Time 1

Figure 1.  Count of distinct hosts of IRS phishing for each month during 2015 and 2016

This hasn’t been a gradual increase however; it was a rapid proliferation of spoof IRS sites at the beginning of this year.  In January 2016 we saw more IRS phish than the total for any previous year.

In just the past two weeks, we have recorded 21 different phishing website templates being used to create IRS phish.  We ask, “Which patterns are most important, based on the number of websites being created using that template?”  Figure 2 provides an overview of the result of applying PhishMe’s phishing website clustering algorithm to group together sites that were created with the same set of files.  We do that in order to work backwards toward identifying which criminal toolkit was used—and by which criminals—to create the most frequently-recorded phishing sites.  Below we dive deeper into the details of the three largest templates indicated in Figure 2.


Tax Time Phishing Time 2

Figure 2.  Clusters of IRS phish, based on website template, October 2015 – March 2016


Cluster #1 – IRS White Login

We will call this template “IRS White, just to differentiate it from the other templates below.

Tax Time Phishing Time 3

Figure 3.  Cluster #1 – “White Login”

Cluster #1, representing the most popular IRS phishing template over the past six months, was observed in 59 attacks, using 49 domain names and 40 IP addresses.  The HTML title of each of these phish is the single word “Login”.  The phish in this cluster often use a subdirectory path, and, during the month of February, many of the attacks were hosted on the IP address (HostDime—Orlando).  Figure 4 below shows a page from PhishMe’s investigative app, ThreatHQ™, listing several recent IRS phish of this style, along with the IP address to which they resolved and the date that we first recorded them.


Tax Time Phishing Time 4

Figure 4.  Note the characteristic path in the URL and a frequent IP address

Over the years of investigating credential phishing, the PhishMe Brand Intelligence team has preached information sharing with other representatives of other victim brands.  With this style of IRS phishing, it is helpful to be able to see in ThreatHQ that the IP address is regularly abused by phishers.  Phish targeting customers of banks, social media sites, payment processors, and webmail providers are frequently hosted there, as well as a variety of webmail phish, as seen in Figure 5 below.


Tax Time Phishing Time 5

Figure 5.  Other recent phish hosted on

Perhaps some of the creators of those phish are related to the IRS phishers?  One of the most recent phishing pages hosted there targets the French government’s Ministry for Finance and Public Accounts (, as seen in Figure 6 below.

Tax Time Phishing Time 6

Figure 6.  French tax agency phish hosted on (March 21st)

Cluster #2 – Fill Up 2013

The second-largest cluster of recent IRS phish comprises 42 attacks using 38 domains and 34 IP addresses.  As is often the case with phishers, small errors can help us to easily identify the template.  In this case, we have a phisher who has not realized that using a 2013 tax form during 2016 would be unusual and could even harm his victimization rate.  See Figure 7 below for an example screenshot of a Cluster 2 phish that asked the victim to enter information as it appeared on a 2013 return.

Tax Time Phishing Time 7

Figure 7.  Cluster #2 – “Fill Up – 2013”

Because PhishMe Brand Intelligence is often able to retrieve the tools left behind by phishers, we know that at least eight of the recent phish in this group sent the stolen credentials to the email address [email protected]  On November 24th, December 14th, and January 10th, 17th, 18th, and 23rd, PhishMe recovered phishing kits that used a PHP script to email the credentials to that email address, as seen in the code snippet in Figure 8 below.


Tax Time Phishing Time 8

Figure 8.  The script mailer.php sends credentials to a Gmail account

Strangely, Michael Davids’ Facebook page (see Figure 9 below), tied to the same Gmail account, has the URL – almost as if Michael was born a Nigerian person and later changed his name.  In fact, his only Friend on Facebook is Nigerian “Kore Akpnah.”

Tax Time Phishing Time 9

Figure 9.  Partial screenshot of Facebook profile tied to the email address [email protected]

As with Cluster #1, we also have evidence that Michael (or “Ogbeni”?) steals credentials with other types of phishing pages.  A webmail phish from January and a major bank phish from December (Figures 10 and 11, respectively, below) also sent their stolen credentials to Michael at the same Gmail address.

Tax Time Phishing Time 10

Figure 10.  Recent Google Drive phish created with a kit that sends data to [email protected]


Tax Time Phishing Time 11

Figure 11.  Recent Wells Fargo phish created with a kit that sends data to [email protected]

Also, be aware that the spam message you receive with a link to an IRS phish may be very plain and simple, such as the one seen in Figure 12 below.  We can see by hovering over the link with our mouse that the blue hyperlink did not go to; rather, it went to a URL shortened with the TinyURL service.


Tax Time Phishing Time 12

Figure 12.  Sample spam message distributing a link to a Cluster #2 style IRS phish


Cluster #3 – Fill Up 2014


Tax Time Phishing Time 13

Figure 13.  Cluster #3 – Fill Up – 2014

Cluster #3 is composed of 32 attacks on 29 domains hosted on 29 IP addresses.  The only substantial difference between it and Cluster #2 is that the year has been updated from 2013 to 2014.  Two main URL patterns are prevalent for this cluster; one is /SmileIR/ (and the stolen credentials are sent to a similarly-named email address).  After February 1st, this criminal began to use the directory /PRIVACYIR/ and another email address.  Otherwise, the files are quite similar between the two toolkits.

Other Top IRS Clusters

While there are many interesting Brand Intelligence leads for each of the other major IRS phishing clusters, we’ll just summarize clusters 4 through 10 here by providing screenshots and volume statistics below.

Cluster #4 – 2015 Tax Reduction File


Tax Time Phishing Time 14

Figure 14.  Cluster #4 attacks seen 29 times on 25 domains and 23 IP addresses

Cluster #5 – White Hi-Res W-2 Form


Because of the more high-resolution graphics that better approximate the real IRS website, this template is more likely to be convincing to a potential victim.  One of the drop email addresses for this stolen data corresponds to a Skype account.  This website template also adds believability by using the HTML Title attribute—which shows up in your browser tab—of   “Department of the Treasury – Internal Revenue Service”.

Tax Time Phishing Time 15

Figure 15.  Cluster #5 attacks seen 28 times on 26 domains and 25 IP addresses

Cluster #6 – Validate Personal Info


Tax Time Phishing Time 16

Figure 16.  Cluster #6 attacks seen 26 times on 17 domains and 15 IP addresses

Cluster #7 – Validate Electronic Info


Tax Time Phishing Time 17

Figure 17.  Cluster #7 attacks seen 23 times on 21 domains and 20 IP addresses

Cluster #8 – Refund Status


Tax Time Phishing Time 18

Figure 18.  Cluster #8 attacks seen 23 times on 18 domains and 17 IP addresses


Cluster #9 – Get My PIN


Tax Time Phishing Time 19

Figure 19.  Cluster #9 attacks seen 19 times on 13 Domains and 10 IP addresses

Cluster #10 – Refund SSN


Tax Time Phishing Time 20

Figure 20.  Cluster #10 attacks seen 18 times on 3 domains and 3 IP addresses



Grouping together the various types of phish that are targeting a specific brand, according to the sets of files used to create the look and feel of phishing sites, allows PhishMe to determine which are the biggest problems affecting that brand’s customers.  It also allows a focus on which bad actors are using the templates and how they are taking advantage of the Internet infrastructure available to them.

In 2016, you have already heard many warnings about IRS phishing.  This blog post further demonstrates that, not only is it a large and growing problem, there are many different phishers and different toolkits being used to exploit U.S. tax payers.  Be on the lookout for all of these types of scams, and be sure to let us and the IRS know when you see a new phish.  Be sure to forward the email to [email protected] and to [email protected].


Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.