2014.07.21: Phishing Attempt, "Verify Your Return Status(IRS.gov)"

Update: A second phishing attempt was received the morning of July 22nd.  We have contacted the source to have them take actions to secure their users accounts. As would be expected the contents of this message are the same as the first; please do not engage the message.


Just before 1PM on July 18th, 2014, a number of CalArts email accounts received a message with the subject line "Verify Your Return Status(IRS.gov)":


The link contained in this message goes to a Google Form titled "IRS.GOV":


This is a phishing scheme designed to trick its recipient into divulging personal information.  If you entered in your personal information before realizing the form was not valid please contact IT as soon as possible.

Below is the raw email data:

Delivered-To: xxxxxxxx@calarts.edu
Received: by with SMTP id ez5csp153503qdb;
Mon, 21 Jul 2014 12:55:21 -0700 (PDT)
X-Received: by with SMTP id ry9mr28278151pac.18.1405972521386;
Mon, 21 Jul 2014 12:55:21 -0700 (PDT)
Return-Path: <kej5@njit.edu>
Received: from psmtp.com (na3sys009amx219.postini.com [])
by mx.google.com with SMTP id os2si969632pdb.301.2014.
for <xxxxxxxx@calarts.edu>
(version=TLSv1 cipher=RC4-SHA bits=128/128);
Mon, 21 Jul 2014 12:55:21 -0700 (PDT)
Received-SPF: neutral (google.com: is neither permitted nor denied by domain of kej5@njit.edu) client-ip=;
Authentication-Results: mx.google.com;
spf=neutral (google.com: is neither permitted nor denied by domain of kej5@njit.edu) smtp.mail=kej5@njit.edu
Received: from mail-we0-f195.google.com ([]) (using TLSv1) by na3sys009amx219.postini.com ([]) with SMTP;
Mon, 21 Jul 2014 19:55:16 GMT
Received: by mail-we0-f195.google.com with SMTP id p10so2814259wes.10
for <xxxxxxxx@calarts.edu>; Mon, 21 Jul 2014 12:55:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
X-Gm-Message-State: ALoCoQl/wUfXYlOr5DtgqnNeo5dtrsdwwwf4jk/9jy4kz5vLIEB1RKDRrgUy9t5hsxkdmdkHEjHB
MIME-Version: 1.0
X-Received: by with SMTP id ch1mr7819135wib.34.1405972511286;
Mon, 21 Jul 2014 12:55:11 -0700 (PDT)
Sender: kej5@njit.edu
Received: by with HTTP; Mon, 21 Jul 2014 12:55:11 -0700 (PDT)
Date: Mon, 21 Jul 2014 11:55:11 -0800
X-Google-Sender-Auth: InCTu2KJiwtx9l4QxAnV4WV2d4A
Message-ID: <CA+Y7p34HAfWpWjtfXD0Gcj42_GvsE4c+8AJJSrPjjaJ2NJjBhQ@mail.gmail.com>
Subject: Verify Your Return Status(IRS.gov)
From: "IRS.gov" <irs.gov-irs@outlook.com>
To: undisclosed-recipients:;
Content-Type: multipart/alternative; boundary=f46d04374a0519753404feb97c7f
Bcc: xxxxxxxx@calarts.edu
X-pstn-dkim: 0 skipped:not-enabled

Content-Type: text/plain; charset=UTF-8


Update your IRS E-file immediately, click here to -
*< Update >
**For your protection, this link would expire in six hours.*

Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">IRS.gov<br>
Update=C2=A0<span style=3D"font-size:small;font-family:Helvetica,Arial,sans=
IRS E-file immediately, click here to -=C2=A0=C2=A0</span><b style=3D"font-=
eight:15px"><span style=3D"text-decoration:underline"><a class="3D""" style=
=3D"color:rgb(0,104,207)" href=3D"https://docs.google.com/forms/d/1LdPsQ6QC=
L_DL3m16bGXjUhdCvQp2MCQl2RuGBjAEAWQ/viewform?usp=3Dsend_form" rel=3D"nofoll=
ow" target=3D"_blank"><span style=3D"color:rgb(51,51,255);line-height:norma=
l">&lt; Update &gt;</span></a>



</span></b><b>For your=20
protection, this link would expire in six hours.</b></div>


Have more questions? Submit a request


Please sign in to leave a comment.