IRS Warns of “Industrial Scale” Smishing Surge

  • The Internal Revenue Service (IRS) has warned US taxpayers of an “exponential” increase in text-based phishing attempts and urged users to report campaigns to help the government disrupt them.

    In a news alert yesterday, the tax agency said it had identified thousands of fake domains so far in 2022, which are used to facilitate the so-called “smishing” scams. These are designed to steal victims’ personal and financial information.

    Spoofed to appear as if sent from the IRS, these text messages often use lures like fake COVID relief, tax credits or help setting up an IRS online account, it said. They might request personal information or covertly download malware to the user’s device by tricking them into clicking on a malicious link.

    “This is phishing on an industrial scale so thousands of people can be at risk of receiving these scam messages,” said IRS commissioner Chuck Rettig.

    “In recent months, the IRS has reported multiple large-scale smishing campaigns that have delivered thousands – and even hundreds of thousands – of IRS-themed messages in hours or a few days, far exceeding previous levels of activity.”

    Automated tooling is helping to drive this surge: the IRS claimed that just three dozen stolen or bogus email addresses were used to create over 1000 fraudulent domains for a recent smishing campaign.

    The IRS urged users and tax professionals to continue reporting any smishing attempts they discover, in order for security teams to track and disrupt the threat actors behind them.

    It said the preferred method of reporting is to copy the text of a smishing or regular phishing message into an email, as follows:

    • Create a new email to phishing@irs.gov
    • Copy the caller ID number (or email address)
    • Paste the number (or email address) into the email
    • Press and hold the SMS/text message and select “copy”
    • Paste the message into the email
    • Include the exact date, time, time zone and telephone number that received the message, if possible
    • Send the email to phishing@irs.gov