Yes, it's getting to be that time of year again"¦  What?  You thought I was talking about the Holidays?  Nope, sadly, they're SOOO last week.  What I'm referring to is Tax Time, that mystical period between New Year's Day and April 15 when you have to part with your hard-earned money.  Needless to say, the Bad Guys are aware of this and are already ramping up their scam machines.  RST CEO Matti "Roland" Raihala received the following from a payroll site:


The IRS issued a warning for businesses concerning a new email scam using IRS tax transcripts as bait to deliver malware. The malware, known as Emotet, seeks to obtain financial information by infecting the victim's network. This particular scam delivers a false tax transcript (summary of tax return information) as an attachment. If the victim opens the attachment, their network or device could become infected with the Emotet malware. The IRS alert goes onto say that it does not send unsolicited emails to the public.

Additional information on this specific attack, including what to do if you believe you may be impacted, can be found on the IRS website.

So, off I went to the IRS website to see what they have to say.   First and foremost, they tell you:

Many taxpayers have encountered individuals impersonating IRS officials- in person, over the telephone and via email. Don't get scammed. We want you to understand how and when the IRS contacts taxpayers and help you determine whether a contact you may have received is truly from an IRS employee.

The IRS initiates most contacts through regular mail delivered by the United States Postal Service.

However, there are special circumstances in which the IRS will call or come to a home or business, such as when a taxpayer has an overdue tax bill, to secure a delinquent tax return or a delinquent employment tax payment, or to tour a business as part of an audit or during criminal investigations.

Even then, taxpayers will generally first receive several letters (called "notices") from the IRS in the mail.

Note that the IRS does not:

  • Call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes.
  • Demand that you pay taxes without the opportunity to question or appeal the amount they say you owe. You should also be advised of your rights as a taxpayer.
  • Threaten to bring in local police, immigration officers or other law-enforcement to have you arrested for not paying. The IRS also cannot revoke your driver's license, business licenses, or immigration status. Threats like these are common tactics scam artists use to trick victims into buying into their schemes.

I located the article specific to this threat, IR-2018-226.  It is a warning to the public of a surge of fraudulent emails impersonating the IRS and using tax transcripts as bait to entice users to open documents containing malware.  The scam is especially problematic for businesses whose employees might open the malware because it can spread throughout the network and potentially take months to successfully remove.  The malware involved, known as Emotet, generally poses as specific banks and financial institutions in its effort to trick people into opening infected documents. In the past few weeks, however, the scam began masquerading as the IRS, pretending to be from "IRS Online." The scam email carries an attachment labeled "Tax Account Transcript" or something similar, and the subject line uses some variation of the phrase "tax transcript." The Summit partnership of the IRS, state tax agencies and the nation's tax industry remind taxpayers to watch out for this scam.

I decided to see what I could find on Emotet and came up with this United States Computer Emergency Readiness Team (US-CERT) Alert (TA18-201A) Emotet Malware.  This is a truly nasty creation!

Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Additionally, Emotet is a polymorphic banking Trojan that can evade typical signature-based detection. It has several methods for maintaining persistence, including auto-start registry keys and services. It uses modular Dynamic Link Libraries (DLLs) to continuously evolve and update its capabilities. Furthermore, Emotet is Virtual Machine-aware and can generate false indicators if run in a virtual environment.

The alert goes into considerable detail on what it is, how it works, the damage it can do, how to detect it, and most importantly, what you can do to protect yourself and your organization from it.

One last note, this is one of MANY scams using the IRS as a cover.  While writing this article, the following showed up in my Inbox:


I took the liberty of exposing the target of that "CLICK HERE please!" link; somehow, I kinda doubt a website in the United Kingdom has anything legitimate to do with the IRS.  You, ALL of you, gotta THINK before you click than link!!