IRS Issues Warning On Ransomware ‘Questionnaire’ Scam

A phony email targeting tax professionals is "a new twist on an old scheme," agency Commissioner John Koskinen said.

  • Published 1 September 2017

The Internal Revenue Service (IRS) issued a warning urging tax professionals to watch out for a ransomware scam being distributed via email. The email includes reproductions of logos for both the IRS and the Federal Bureau of Investigation (FBI), as well as a link directing readers to download a “required questionnaire”:

Downloading the document infects the user’s computer and leaves them unable to access their data unless they pay a ransom to the sender. It appears to target tax preparation professionals. However, the IRS has also warned:

Victims should not pay a ransom. Paying it further encourages the criminals. Often the scammers won’t provide the decryption key even after a ransom is paid.

The agency’s commissioner, John Koskinen, said in a 28 August 2017 statement:

This is a new twist on an old scheme. People should stay vigilant against email scams that try to impersonate the IRS and other agencies that try to lure you into clicking a link or opening an attachment. People with a tax issue won’t get their first contact from the IRS with a threatening email or phone call.

Instead, the IRS encourages victims to report ransomware attempts to federal investigators. Scams that purport to come from the IRS should be reported via email to phishing@irs.gov.

According to the agency, incidents involving malware and identity theft scams increased by 400 percent during the 2016 tax season.

The agency has also published an advisory on the matter:

The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. In addition, IRS does not threaten taxpayers with lawsuits, imprisonment or other enforcement action. Recognizing these telltale signs of a phishing or tax scam could save you from becoming a victim.

We contacted the IRS seeking additional information on how many reports it had received the August 2017 scam but did not get a response by press time.