IRS Refund Phishing Email
Attack Trigger
Email claiming an unclaimed tax refund is available or a tax debt requires immediate action
What Attackers Want
Banking credentials for refund fraud, or $500–$5,000 in bogus tax debt payments
How This Attack Works
Fraudulent emails impersonate the IRS claiming the recipient is owed a tax refund or has an outstanding tax liability. The refund variant directs victims to a fake IRS portal that harvests banking details to "deposit" the refund. The debt variant threatens immediate legal action unless the victim pays via gift cards, wire transfer, or cryptocurrency. The IRS never initiates contact by email.
Red Flags to Watch For
- ✗The IRS never contacts taxpayers via email, text, or social media — only by mail
- ✗Sender domain is not irs.gov
- ✗Refund portal requires full bank account and routing numbers
- ✗Debt notice threatens arrest or license suspension via email
- ✗Demands payment by gift card, crypto, or wire transfer
- ✗Email contains a deadline of 24–48 hours to avoid legal consequences
Known Malicious Domains
These domains have been associated with this attack. Never click links going to these addresses.
- irs-refund-portal.comMALICIOUS
- tax-refund-irs-gov.netMALICIOUS
- irs-payment-due.comMALICIOUS
- refund-processing-irs.netMALICIOUS
Glance automatically blocks emails from domains on this list. Domain list is not exhaustive — attackers register new domains continuously.
How Glance Stops This
- Domain similarity analysis catches lookalike sender addresses at millisecond speed
- SPF / DKIM / DMARC validation flags authentication failures before you ever see the email
- VirusTotal + Google Safe Browsing checks every link in real time
- Urgency language detection scores the email higher for manual review
- Known malicious domain blocklist updated continuously from live scan data
Don't wait to get hit.
Glance scans every incoming email against 12 detection layers — including the exact tactics described above — before it reaches your inbox.
Protect My Inbox — Free