A new email scam hitting tax pros and taxpayers alike features a known—and very dangerous—variety of malware that poses big problems for business networks.

The Internal Revenue Service and its Security Summit partners say they’ve seen a surge in fraudulent emails posing as the IRS and using tax transcripts as bait to launch the malware.

The malware is known as Emotet and it generally spoofs specific banks or financial institutions to trick victims into opening the document that will install the program on the victim’s network. This scam poses big problems for businesses, where employees might accidentally launch the infection. Emotet can spread throughout a business computer network; while it can be successfully removed, the process can take months.

The United States Computer Emergency Readiness Team (US-CERT) issued a warning in July about earlier versions of the Emotet in Alert (TA18-201A) Emotet Malware.

US-CERT has labeled the Emotet malware “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”

Change in Tactics

Investigators say the examples they’ve seen shows the emailers masquerading as the IRS instead of financial institutions. The suspect messages claim to be from “IRS Online,” and carry an attachment labeled “Tax Account Transcript” or something similar. The email’s subject line carries some variation of the phrase “tax transcript.”

The clues may change with each version of the malware. The IRS has seen scores of these malicious emails forwarded to their phishing@irs.gov email repository.

Remember the IRS does not send unsolicited emails to the public and would never transmit sensitive information such as a tax transcript via email, which is considered unsecured.

If taxpayers receive an email message suspected of being part of this scam, they should not open the email or the attachment. Delete the message or forward it to phishing@irs.gov. If a suspicious email arrives at a business or tax office, notify the firm’s IT professional immediately.