{
	"id": "a3d97a1a-d390-4d23-83ed-681ba323750d",
	"created_at": "2026-04-06T00:12:15.403344Z",
	"updated_at": "2026-04-10T13:13:04.81382Z",
	"deleted_at": null,
	"sha1_hash": "0aa1dfe2cc1c38a64fae1ba8d7a03f1cfad46c65",
	"title": "Beware: Fake IRS tax email delivers Emotet malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 239620,
	"plain_text": "Beware: Fake IRS tax email delivers Emotet malware\r\nBy Christopher Boyd\r\nPublished: 2023-03-22 · Archived: 2026-04-05 14:23:41 UTC\r\nTax season is upon us and, as with every year, we’re seeing tax scammers rearing their heads.\r\nBelow, we have an example of a tax scam currently in circulation along with some suggestions for avoiding these\r\nkinds of attacks.\r\nAn IRS W-9 tax form scam\r\nA Form W-9 is a form you fill in to confirm certain personal details with the IRS. Name, address, and Tax\r\nIdentification Number are all things you can expect to fill in on one of these forms.\r\nIn this case, the Form W-9 is being used as a lure for people to download something sinister. Our Senior Director\r\nof Threat Intelligence, Jerome Segura, found an email being sent out with the title of “IRS Tax Forms W-9” which appears to have been sent from “IRS Online Center”. The email, which contains an attachment and very\r\nlittle text, looks like this:\r\nhttps://www.malwarebytes.com/blog/news/2023/03/beware-fake-irs-tax-email-delivers-emotet-malware\r\nPage 1 of 4\n\nThe rather short message reads as follows:\r\nLet me know if you would like a hard copy mailed as well.\r\nRespectifully [SIC]\r\nBarbara LaCosta\r\nInspector\r\nDepartment of Treasure\r\nThe attachment, W-9 form.zip, is 709 KB in size.\r\nOpening the attachment up reveals a Word document called W-9 form.doc\r\nThis file’s size is 548,164 KB (548 MB), which is very suspicious. You won’t find many genuine Word documents\r\nweighing in at 500MB or more. In fact, a file size of 500MB is a potential indicator that Emotet is lurking in the\r\nbackground. Malware authors are artificially pumping up the size of the document in order to try and fool or break\r\nsecurity tools. This is because the large file size may prove too difficult for the tools to get a handle on and\r\nproperly analyse.\r\nOpening the document quickly becomes a game of Macro-related risk. Macros, used to automate aspects of your\r\ndocuments, are a tried and tested way of infecting a PC with malware. This is why you’ll almost always see a\r\nmessage saying that Macros are disabled when opening a downloaded document.\r\nMalware authors know this, and will do everything in their power to make you enable them. This is no exception.\r\nWhen opening W-9 form.doc, you’ll see the following message:\r\nThis document is protected\r\nPreviewing is not available for protected documents. You have to press “enable editing” and “enable\r\ncontent” buttons to preview this document.\r\nhttps://www.malwarebytes.com/blog/news/2023/03/beware-fake-irs-tax-email-delivers-emotet-malware\r\nPage 2 of 4\n\nEnabling this will result in Emotet being downloaded onto the system.\r\nEmotet has been around since 2014. Originally created as a banking trojan, later versions added malware delivery\r\nand spam services. Mostly featuring in email spam campaigns, a big focus of fake mails helping to deliver the\r\ninfection include subjects like parcel shipping, invoices, and other forms of payment.\r\nIn fact, Emotet features as one of the top five cyberthreats businesses face in our 2023 State of Malware\r\nreport. Flagged by Europol as “The world’s most dangerous malware”, law enforcement has never quite been able\r\nto shut it down permanently despite its entire global infrastructure being taken offline in 2021. Emotet’s ability to\r\npush additional forms of malware onto target systems including threats like TrickBot, IcedID, and Conti\r\nransomware make it a formidable proposition for any security team to handle.\r\nAvoiding tax scams\r\nHere are some of the ways you can outsmart tax fraudsters and keep one step ahead of the phishing, malware, and\r\nsocial engineering attacks which come around every year during tax season.\r\nFile early. One of the quickest ways to stumble into a trap is to leave filing your tax return until the last\r\nminute. That added pressure can mean responding to fake mails you otherwise would have ignored.\r\nBe careful around suspicious refunds. Tax agencies have a proper process for issuing refunds, found on\r\ntheir websites. Some, like HMRC, are very clear that refunds are never issued by email. If in doubt, phone\r\nthe tax office directly and ask if what you have is the real deal or a fake.\r\nBeware of fake bank portals. Some tax scams will ask you who you bank with, and then open up a\r\nphishing page for that bank. Always navigate directly to your banking website, click throughs and redirects\r\nhttps://www.malwarebytes.com/blog/news/2023/03/beware-fake-irs-tax-email-delivers-emotet-malware\r\nPage 3 of 4\n\ntypically spell danger.\r\nAvoid the pressure pitch. Tax scammers like to hurry you along to data theft and malware installs. Claims\r\nof only having 24 or 48 hours to file for a refund should be treated with skepticism. As with most solutions\r\nfor these forms of social engineering, contact the tax entity directly.\r\nMalwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more\r\nabout how we can help protect your business? Get a free trial below.\r\nTRY NOW\r\nAbout the author\r\nFormer Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make\r\nhim a nightmare for threats like you.\r\nSource: https://www.malwarebytes.com/blog/news/2023/03/beware-fake-irs-tax-email-delivers-emotet-malware\r\nhttps://www.malwarebytes.com/blog/news/2023/03/beware-fake-irs-tax-email-delivers-emotet-malware\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.malwarebytes.com/blog/news/2023/03/beware-fake-irs-tax-email-delivers-emotet-malware"
	],
	"report_names": [
		"beware-fake-irs-tax-email-delivers-emotet-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434335,
	"ts_updated_at": 1775826784,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0aa1dfe2cc1c38a64fae1ba8d7a03f1cfad46c65.pdf",
		"text": "https://archive.orkl.eu/0aa1dfe2cc1c38a64fae1ba8d7a03f1cfad46c65.txt",
		"img": "https://archive.orkl.eu/0aa1dfe2cc1c38a64fae1ba8d7a03f1cfad46c65.jpg"
	}
}