IRS Online Scam

What is IRS Online Scam?

If you do not want to face a malicious Trojan, IRS Online Scam is the one to look out for. It is important to mention that the email address attached to the scam could be different in your case. One other example is The subject line could be adjusted too. Cyber schemers need to be smart about how they approach victims, and if they continue to use the same addresses, subject lines, and even the messages themselves, they are unlikely to succeed as much. The ever-changing scams make it much harder for security experts to catch them and warn users in time. Unfortunately, the consequences can be dire. If you are not careful and fall for the scam, you might let in malware without even knowing it. According to our research, some victims find that they need to remove IRS Online Scam-related Trojans. One of them is the vicious Emotet Trojan. If you continue reading, you will learn how to recognize the scam and delete malware.test

How does IRS Online Scam work?

As you know – if you have encountered it already – the IRS Online Scam is meant to be extremely deceptive. It was created to trick gullible victims into thinking that the email message is legitimate and that a file attachment must be downloaded and opened. In some cases, the email message might also include telephone numbers (e.g., 1-800-276-5769 or 1-866-824-8183) that, allegedly, can help you contact the IRS. This is a complete lie, and if you call the numbers, you will call schemers, who will try to extract as much personal information as they can. Of course, the main goal behind the email is to trick you into opening the attached document. Our tested sample pushed a seemingly harmless DOC file, but schemers can use other kinds of files too. According to the message, the file is sent by IRS Treasury Department, and that should be enough to make you open it. Instead, you should delete it immediately. If you remove the message, you will evade great danger. If you open it and then open the attached file, you are likely to let in a dangerous computer infection.

As a matter of fact, malware will not be executed the moment you open the attachment. First, you will need to enable macros. The “This document created in online version of Microsoft Office Word” message will show up, and then you will be asked to “Enable content.” Whatever you do, do not enable anything because that will lead to the infiltration of Emotet or another malicious threat. This is done silently by entering a command – which is encoded in Base64 – and then downloading the threat. If we are talking about Emotet (the infection that was downloaded in our case), it can assign a unique name and location every time, which makes detecting and deleting this threat quite difficult. The guide below provides a list of locations this malware could hide in, but we cannot promise that you will be able to find and delete it yourself. However, if you do not remove Emotet, it will download and execute other infections (most likely, banking Trojans) that could steal sensitive information. Of course, all kinds of malware could be linked to the IRS Online Scam, and so if you have recently opened suspicious emails from IRS, you must scan your operating system ASAP.

How to remove IRS Online Scam malware?

If you face the IRS Online Scam, deleting the email via which the scam is delivered should be the first thing you do. If you have opened the email and “enabled content,” there is a good chance that malware was executed. The instructions we provide below show where to look for Emotet Trojan, but note that other threats could be attached to the vicious IRS Online Scam too. Even if you know that Emotet is the infection you need to delete, finding it could be very problematic, and finding threats you have not identified yet could be even more difficult. We propose that you install anti-malware software. It will automatically find and eliminate all threats that might have slithered in, and, more importantly, it will continue protecting you in the future.

Emotet removal Instructions

  1. Launch Windows Explorer by tapping Win+E.
  2. Check these locations(enter the path into the field at the top of Explorer) to find malware:
    • %WINDIR%
    • %WINDIR%\System32
    • %WINDIR%\SysWOW64
    • %LOCALAPPDATA%\Microsoft
    • %LOCALAPPDATA%\Microsoft\Windows
    • %APPDATA%\Microsoft
    • %APPDATA%\[random name subfolder]
  3. Delete the [unknown name].exe file that represents the Trojan.
  4. Exit Explorer and launch RUN (tap Win+R).
  5. Enter regedit.exe (for Registry Editor) and click OK.
  6. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
  7. Delete the [unknown name] value that represents the Trojan's PoE (the name should match to .exe file).
  8. Exit Registry Editor and then Empty Recycle Bin.
  9. Do not forget to scan your operating system using a trusted malware scanner. 100% FREE spyware scan and
    tested removal of IRS Online Scam*

Stop these IRS Online Scam Processes:


Leave a Comment

Enter the numbers in the box to the right *