Malware spammed out widely posing as income tax email

Filed Under: Featured, Malware, Spam

Malware spammed out widely posing as income tax emailA malware campaign has been spammed out widely, seemingly taking advantage of an important date in the US tax system's calendar.

January 31st is the deadline for US employers to deliver the W-2 form to all of their workers, used to help calculate the total wages earned by an individual during the course of the year.

So, how might you respond if you received an email like this today?

Tax email carrying malware

Subject: FW: 2010 and 2011 Tax Documents; Accountant's Letter

Message body:
I forward this file to you for review. Please open and view it.
Attached are Individual Income Tax Returns and W-2s for 2010 and 2011, plus an accountant's letter.

This email message may include single or multiple file attachments of varying types.
It has been MIME encoded for Internet e-mail transmission.

Attached to it is a ZIP file, whose filename will vary depending on the recipient. For instance, if the email is sent to, the zip file will be called

Inside the ZIP file, is an executable file: "Individual Income Tax Returns.exe"

Sophos products detect this file as the Troj/Agent-ZWM backdoor Trojan horse, designed to infected your Windows computer and allow remote hackers to commandeer it for their own purposes.

If you thought fines for submitting a late tax return were bad enough, imagine how much worse things could be if a malicious hacker is trawling through your private documents, stealing your passwords, and accessing your online accounts without your knowledge.

Always be suspicious of unsolicited email attachments, and think before you click.

Tax return stamp image from Shutterstock.


You might like

4 Responses to Malware spammed out widely posing as income tax email

  1. garry · 937 days ago

    The same scam has been appearing in the U.K for the last few months

    • Kose · 937 days ago

      And Australia every year in July with the Tax office logo and or letterhead. A lot of the time when you see them they don't even update them to the correct dates!

    • pete · 936 days ago

      these also appear as emails coming from ADP and Paychex stating we can not process your request with an attached zip file. it appears they are directing these towards CPA firms

  2. Ann · 937 days ago

    It's been circulating in Canada too. I've received three of these so far this year.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley