IRS related scams are not all the same

Barracuda Central is detecting a variety of tax-related phishing emails.  These emails are designed to look like official communications from the IRS or similar tax revenue entities outside of the US.  Most of the emails we have detected include links in the body of the message.  These links are designed to phish for the victim’s info or to install malicious content on the victim’s computer.  All of these emails have the same agenda of tricking people into clicking on the malicious links. (Click here to see a larger version of this image)     Some of these emails claim to be automated notification messages sent from the IRS. These emails ask the recipient to update a W2 profile with a “new W2 E-Data Form”. Some of these messages are also claiming that if this is not done within 48 hours, a refund will be delayed or not paid. Other similar IRS phishing emails have an attached HTML form. This form prompts the recipient to input personal information such as: social security number, Date of Birth, home address and Employer info and etc. If this form is submitted, the victim is directed to a different site, and all personal information that was just entered is now stored for a spammer to use.   Another variant has the subject “Pending Tax Refund”. This variant attempts to trick the recipient into clicking on the link that claims there is an outstanding tax refund from an overpayment in a prior year.  These messages are coming from an .UK domain, and are posing as official communications from HM Revenue & customs.  This is the department of the UK Government that is responsible for the collection of taxes. The government already knows about this issue and has created a site to inform people about this scam:     The above variant poses as a message from the “Canada Revenue Agency”. The email has a link to a site that asks the victim to transfer money electronically, so that the sender...

read more

The Big Business of Spam: Don’t Click These Links or, “You’re Fired!”

Jan 20, 16 The Big Business of Spam: Don’t Click These Links or, “You’re Fired!”

Posted by in Email Security, Uncategorized

A new year may have begun, but the big business of spam is still very present. Barracuda Central has recently detected a new spam tactic that uses Donald Trump’s name and image in make-money-quick schemes. Regardless of political or personal views, Donald Trump is a name that most people know. Spammers are very much aware of this, and are using it to their advantage. Get-rich-quick schemes are not new to the big business of spam, but the tactics to get recipients to read these spam emails are always changing. Specific to these ‘Donald Trump’ messages, spammers are using these angles of enticement: A mainstream name in the media (‘Donald Trump’) Words or phrases similar from actual news conferences (‘You’re Fired!’) An email alias that disguises the spammer as a Trump or a legitimate news source (ex. CNN, see Figure 1) Figure 1These tactics are designed to make the spam email seem more legitimate, making the recipient more likely to open the message. Tactics to look for specific to this scam: First, the subject line: “Donald Trump reveals simple plan to help every American earn more money.” The subject in itself is enticing to the recipient since it uses a mainstream name and the words “earn more money.” Once this message is opened, you will see obvious spammer tactics: Designed to look like it was sent by Trump Uses the CNN logo and similar website formatting Links to “See Trump’s plan for American’s to triple their income…” Once in the email, if a reader clicks on the links, they are redirected to a false CNN site, (one can look at their browser, to see that they were not directed to CNN, but a falsified site, ex. see Figure 2). Figure 2  While looking over the false CNN site, you will see tactics continuously used to help prove legitimacy. The site also uses fake statements claiming they are direct quotes from Trump during news conferences. In addition, any link clicked on from the fake CNN site...

read more

The Big Business of Spam: Open Enrollment Signals Open Season for Spammers

Spam is big business all year long, and it never goes out of season.  Unfortunately, spammers do kick things into high gear during the fall.  This is when people are buying gifts, thinking about how to get money to buy gifts, or opening holiday E-Cards that aren’t really from friendly people.  Spam tends to increase during this time, just because there’s more opportunity when people are in the holiday spirit. Fall is also the time of year when insurance companies allow businesses and individuals to adjust their health and life insurance coverage.  This is known as Open Enrollment, and spammers come out in force to try to take advantage of this well-known event. Barracuda Central, our 24×7 advanced security operations center, has detected an increase in health and life insurance spam over the last few weeks.  We have picked up several hundred examples of these emails since October. These particular spam messages use names of real insurance companies, such as AIG, Fidelity Life Insurance, and Medicare.  The messages have generic subject lines such as “Open Enrollment is here!” and “Now is the time to change your plan.” See Figure 1 for example. Figure 1These messages are particularly crafty and made to look as real as possible. Not only are the spammers using legitimate names of health and life insurance companies, they are also using images and wording that is close, and sometimes almost identical to the real advertisements from these entities. These “insurance” emails try their best to look convincing and lure the recipient to open them by promising a free quote for insurance plans (Figure 2). Some emails are so convincing, going so far as to even use the company name in the sending domain (Figure 3). Figure 2  Figure 3If the email is convincing enough and the recipient clicks on the false “free quote” link, they will notice their internet browser redirects a few times to sites that never fully load, the redirecting of the browser sometimes happens so rapidly that it...

read more

The Big Business of Spam: Online Dating Requests Through Email – Not So Fast

Meeting people online has never been easier, unfortunately for some people, falling for that perfect connection may not be the only thing they are falling for these days. Online dating scams are quickly becoming a likely possibility due to the giant audience attracted to online dating sites. It’s no secret that scammers target large audiences, and according to an article published on, there are currently over 40 million people trying to meet that special someone online. So, how can users avoid falling victim to an online dating scam without dumping the scene all together? One way is to remain aware that any email you receive regardless of the topic – could be a scam in disguise. For example, through Barracuda Central, the Barracuda Labs team recently flagged and dissected a series of factious emails from scammers attempting to impersonate a missed connection from a dating site. These scams are banking on the potential that the recipient has an online dating account in order to bait them into replying to an offsite message. This particular email scam suggests that the recipient email them directly so they can get to know each other, which is simply a tactic used in order to bypass spam filters. Here is one of the messages we came across: As you can see, this particular message is written poorly which should always raise a red flag, and if the recipient takes action and replies, the scammer’s sob story quickly follows in hopes to earn the trust of the victim. Eventually these communications will lead to a request for the victim to wire money, which will be withdrawn from their bank account immediately and into an offshore account – where a refund is far from likely. Not only will your wallet be empty, your heart may be broken along with it, and you’ll be well on your way to a number one hit on the county music charts. Not your idea of a good time? Fortunately, it might actually be easier...

read more

The Big Business of Spam: Adulterers beware, scammers may be targeting you

As you have probably heard by now, a group of hackers who call themselves The Impact Team recently breached the systems of Avid Life Media (ALM), and stole sensitive data from The group has since published a large cache of data that includes personal information from members of the site, and are making that data available online for download. To make the situation worse, opportunistic scammers are looking to capitalize on this unique opportunity for a financial gain of their own. To start, the scammers will send phishing emails suggesting that they have information on the recipient that will expose them as an AshleyMadison user. The scam methods they’re using are quite simple and common, yet highly effective when used as a scare tactic like this. Spammers often buy full lists of verified addresses (email addresses in this case) after a large breach, then target and attempt to solicit the users. Here’s how this particular scam works: An unsuspecting user will get an email titled – “Recent data leak, your details are there!” (image below) Once the user opens the email, they will see a note that implies that their personal information has been leaked along with the other 37 million people. At the end of the note, they are directed to click on a link that will direct them to a page that offers services from UnTraceMe. From there, they are directed to pay a fee of $19.95 to get their information secured and removed. (image below) After a spooked user agrees to pay the fee and clicks on the link provided, they are then directed to use a PayPal-like site to pay the fee and “secure their information.” (image below) What folks don’t know is that the leaked data can be retrieved by just about anyone, and will not disappear no matter what ransom is paid. At this time, Barracuda Labs has blocked over 1000 emails similar to the one imaged above, and depending on the monetary success that the spammers...

read more

The Big Business of Spam: Stay clear of these “too-hot-to-miss” sale opportunities from your Facebook Friends

We’ve previously warned about deals that are too good to be true ( – and with summer in full swing, the Barracuda Labs team has seen more and more false domains like (, and popping up in feeds and social media timelines. Our Labs team ran a background check on the domains and many of them appear to be registered in China, including the domain listed above. While browsing your Facebook or Twitter timelines, you may have come across “sponsored ads” that seem too good to be true. Most can be spotted immediately and swiftly ignored; however, you may have been tagged in a post or received a message on your personal timeline posted by a friend, directing you to a killer sale. See figure 1 for an example. Figure 1. The example above shows an ad for Ray Ban, a popular sunglass retailer whose classic sunglasses range from $155 to $200, that looks as though it was shared by a regular user or even a friend on Facebook. The ad targets unsuspecting consumers looking to score the name brand sunglasses for up to 80% off. Figure 2. The idea here, like any scam, is to entice unknowing consumers to jump on the hot deals and “buy” the Ray Ban’s at such low prices. Once the links are clicked on, the consumer is redirected to what looks like a legitimate discount website that is offering deals with up to 80% savings on multiple styles, see Figure 2 and Figure 3 for examples. Figure 3. The phisher hopes that the deal is too good for the consumer to pass up and engages in purchasing the product. Here, the phisher is hoping the consumer will enter their personal data like first and last name, emails address, personal home address and credit card information, to then flip and sell to third parties. It is always smart to use best practices when shopping online. Here are a few tips: Do a bit of research and go...

read more