Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

Spammers Exploit the Tax Season

Created: 17 Mar 2008 07:00:00 GMT • Updated: 23 Jan 2014 18:41:47 GMT
Kelly Conley's picture
0 0 Votes
Login to vote

As reported in the February State of Spam report, we have observed spammers disguising themselves as the IRS and dangling an offer of a tax refund to unwitting recipients. That is, a refund made available once you input your credit card information into their site. A site that does not bear the IRS URL. A site that is fraudulent and nothing more than a collection tool for credit card and other personal information. And while we are still seeing this, we have recently observed a few new types of spam in relation to tax season. This spam being of a more sinister type as it directs you to download a virus.

In one example, the spammer indicates that a new law requires you to download tax software. Well, that in itself is ridiculous because taxes are traditionally done on paper and there is no existing law stating that you need a computer for your taxes in the first place. If that wasn’t a red flag, the site that you actually download the "software" from is not a government site. Instead, it is merely an IP address.

In the body of the message, the URL does appear to be a legitimate government site being "" However, when you click it, you are redirected to the IP address hosting the virus. Upon going to the official IRS site ( and manually typing in, the "The requested page does not exist. Please check your URL." error message is displayed.

Upon a glance, this message does appear to be legit, at least on the surface, carrying legititmate-looking "From" and "Subject" lines, as well as the legit-looking link referencing the IRS:

From: "IRS"
Subject: IRS Notice

Dear Tax Payer,

As part of new requirements from the IRS, all U.S. Citizens are required by law to update their computers with new tax software.

To begin the update, please visit and click "Open" when asked to begin the download.

After doing so, no further action is required on your part.

Thank you for your cooperation.


Another example is utilizing the ever popular tax software, TurboTax. Here the spammer is also advising the recipient to download software updates to comply with new IRS requirements. The first red flag would be the "From" line. This from line does not look like it originates from the business. You must ask yourself: “Why would a legitimate company use” and “Why is TurboTax sending me something from the .cn domain?”

The second red flag would be the URL that the "" takes you to. It does not take you to the TurboTax official Web site. Instead, you are delivered to an alphanumerically randomized URL consisting of a blank page with a pop up that asks you to download some mysteriously named file. Where are the credentials? Upon investigating at the real TurboTax site,, and searching for "," an error message "We cannot find the page you requested" is rendered.

From: "TurboTax Support"
Subject: New TurboTax Update

Dear TurboTax User,

Due to changes in IRS requirements, we are requiring all TurboTax users to update their software to the current version.

The process takes less then 30 seconds, and is done completely in the background.

To begin the update, please visit and click "Open" when asked to begin the download.

After doing so, no further action is required on your part.

Thank you for your cooperation regarding this matter.

TurboTax Customer Support

Be alert during tax season for those preying on you for sinister purposes such as stealing of personal information and spreading viruses. In the above samples, a few simple research steps and analysis of the headers and body made it clear these were not legit. Above all, do not download anything on your computer unless you are sure that it is what it says it is and comes from someone you know and trust or a reputable company. Remember, if you don’t know whether it’s legit, it’s better to be safe than sorry. You can always call the company’s support line from a phone number retrieved on their official site with details of the message and ask them if it truly came from them.