Classic IRS impersonation phishing attempting to steal credentials through fake "E-Statement" access.
Email Details
Key Findings
Classic IRS impersonation phishing attempting to steal credentials through fake "E-Statement" access
Sender domain mismatch: claims to be from IRS but uses unrelated "notifications.com" domain
Contains suspicious "Access Statement" link (though URL not visible) and mentions attached file for credential harvesting
Detailed Analysis
The email claims to be an "IRS E-Statement Notification" from "lRS-noreply@notifications.com" (note the suspicious use of lowercase 'l' instead of 'I' in lRS), but the IRS would never send official communications from a generic "notifications.com" domain - they use official .gov domains.
The attack vector involves directing recipients to click "Access Statement" which would likely lead to a fake IRS login portal designed to harvest credentials. The mention of "An additional file is attached for your convenience" suggests there may be a malicious attachment containing malware or another credential harvesting mechanism.
The timing is also suspicious as this appears to be targeting tax season when people expect IRS communications. The technical headers show the email originated from juno.com infrastructure but was forwarded, and while DKIM passes for juno.com, this doesn't validate the IRS impersonation claim.
Recommended Actions
- •
Do not click any links or download any attachments from this email
- •
Report this phishing attempt to the IRS at phishing@irs.gov and delete the email immediately