We recently received an email notification of balance due, appearing to be from the IRS. (See the image below.) It even has the real IRS logo!
How do we know it’s a scam? Ahhh, let us count the ways.
- The real IRS does not send emails to ask for payment. The IRS will send a letter through the mail (U.S. Postal Service) with a form or notice number that is searchable on the IRS website, irs.gov.
- The real IRS does not initiate contact with you via email, text message or social media channels. As part of the security process to authenticate taxpayers signing up to pay taxes online, the IRS will send verification, activation or security codes via email or text. These IRS texts and emails will only contain one-time codes. The IRS will not initiate contact via text or email asking for personal or financial information, log-in information or personal data. They will not ask you to click through links or input information.
- This email is from firstname.lastname@example.org. Birch email is a free email service. The U.S. government does not use birchconnect email.
- This email appears to have been forwarded. Notice the blue line down the left side. At the bottom of the email, it says this notification was sent to you by: Internal Revenue Service, powered by Govdelivery. Govdelivery is a tech company that provides email and SMS message to the public sector. It enables a person to subscribe to news and information on government websites to receive bulletins and alerts from local, federal and national government. However, it looks like this email was forwarded from an email actually sent by Govdelivery.
- Toward the bottom of the email, it says you can manage your account, and if you have difficulty contact paygov.us. Paygov.us is a website (and mobile app) to make payments to government agencies. There is no place to manage an IRS account on this site.
The Phishing Link
This email asks you to click the link to “Get Billing Summary.” Don’t! This is where the fake IRS does it’s malicious activity. If you hover over a link, you will see where it will direct you. (In this case, the link takes you to a website called paintestimatingclass. Does this sound like the IRS?) In a Phishing email, the link will direct you to an illegitimate site. Frequently, a Phishing site will have a very similar name to a legitimate site. The site may look legitimate, aside from one letter in the domain name of the site. Phishing sites are designed to collect information or payment. They are fishing for information. Don’t get hooked! When you submit, you are handing everything over to the crooks.
Since our company has Microsoft O365 Advanced Threat Protection (ATP), we don’t see just the website address when we hover over the link. We see a link that begins with https://na01.safelinks.protection.outlook.com and includes the website address (URL). ATP protects our company from malicious links and attachments in real time. If someone clicks on an unsafe link, instead of the website, that person will see a warning that the website has been classified as malicious. Email attachments are sandboxed in a detonation chamber to determine if they are unsafe before being sent to recipients. (Want to learn more about how Microsoft Advanced Threat Protection protects your company and how to get it? Call Big Idea Technology at 646-277-9700 or email us at email@example.com.)
The Real IRS Notifications
By the way, this email says “due notification CP50.” There is no notification CP50. IRS Notice CP 503 is a reminder to taxpayers of past due taxes. It is the second in a series of notices sent via mail (not email) by the IRS, each more threatening than the previous one (CP501, CP503, CP504). IRS CP 90 is Final Notice to Levy, a formal notice that the IRS has the right to seize your assets if you do not pay, similar to the message in this Phishing email. It is also sent via paper mail (and a sample CP90 is posted online).
You can pay your taxes online on the IRS website: https://www.irs.gov. Do not provide payment through a link in an email!
The IRS provides Phishing guidelines telling you what to do if you do receive an email, phone call, fax or text from someone claiming to be the IRS. If you receive an email that says it is from the IRS, forward the Phishing email to the real IRS at firstname.lastname@example.org, and then delete the email!