SCAM: Your Federal Tax Payment has been rejected (NCSAM)

It’s October, and that means this month is National Cyber Security Awareness Month. So in the spirit of Stop. Think. Connect., The Tech Herald offers an examination of the latest scam that is clogging inboxes the world over.

The email is a run of the mill Phishing scam. It starts by alerting you to the fact that your Electronic Federal Tax Payment System (EFTPS) payment has been rejected. In addition, the scam has been known to say there has been an error with payment, or that a payment needs to be made. Some of the subjects also warn you that this is the second notice.

Below is an image of the message.

On its face, it looks both important and legit. It appears to come from an official domain (.gov), and it’s filled with details that are confusing enough to make you want to start clicking links for more information.

That’s the goal. The people blasting this message around the globe want you to click their link. Once you arrive at the page, they plan to rob you of personal information by having you fill out a form. Messages like this can also be used to deliver Malware, which is pushed to your system the moment you visit the website.

As we mentioned, this is National Cyber Security Awareness Month. The National Cyber Security Alliance has launched an initiative called Stop. Think. Connect. in support of NCSAM, which we cover in detail here.

According to, the Stop. Think. Connect. program is about taking a moment to stop and think about the places we visit online, the information that we share, and the communities in which we participate before and while we are connected to the Internet.

We’re going to look at this message again and break it down using the Stop. Think. Connect. model, point out some of the obvious and not-so-obvious red flags. If you have questions, please don’t hesitate to leave a comment and ask us.

Let’s start with the message itself again, only this time we’ve highlighted some areas that instantly stood out to us when we first viewed it.

Before we dig into the numbered areas, if you are ever presented with a message similar to this, ask yourself a question. Have I used electronic payments recently to send money to the IRS or other government agency? Have I ever done this? If the answer is no, delete the message and forget it.

If the answer is yes, then skip the email and call the agency direct, by looking the phone number up in a phonebook. You can also enter the URL directly into your browser. In this case it is This is a legit domain, which has been abused for the sake of the scam.

Below are the red flags, marked in the order we spotted them. With each one, we will explain it and give our thoughts on the marker.

(1) This marker is the encoding of the message. It is used to display international characters when sending a message. For example, this message would be able to properly transmit and display messages from Central Europe.

The problem is that by default, most email clients would never use this encoding, unless it is mandated by the operating system. Western European (ISO) is a common default in the U.S., so when an encoding is displayed like this and the message is from an unknown source, use caution and be skeptical.

Also, the encoding is why you will sometimes see messages in a completely different language from you own. It is common to see Spam and Phishing messages written completely in Russian for example. If you can’t read it, delete it.

(2) The From field and the subject of any message that looks to capture your attention with panic and fear should be instantly suspect.

In this case, the From address (the sender) says it is EFTPS Tax Payment, and on the surface uses a .gov email address. However, the headers to the email message show it came from a Gmail account. (Why would the government send you an important message like this from a GMail account?)

Most users do not know how to view email headers. However, even without viewing the headers, the From field and subject are enough to delete this message. Remember the initial questions? They are related to these fields, so if the answer is no, then delete this message. Otherwise, as we suggested, skip this message anyway and call the agency directly.

[Note: In Outlook, to view the full headers for a message, right click on it, and select Options. The headers are in the box on the bottom.]

(3) The To field, where the message was set, is also another red flag. Here you can see it is addressed to the contact address at mp3q. This is a junk collector, and is never used for legitimate communications. With this knowledge alone, we can safely ignore everything this message says.

However, what you cannot see in the image is the second address that the message was sent to. The second address is a legit address used for business communications, but it isn’t used for tax payments. So again it is safe to ignore the message.

The point to this is to remember to look at where the suspect message is delivered and to think of the context for both the address used and the message itself. It’s useful to have an email address associated with friends and business, and one that is purely for junk collection.

After that, you can separate business emails into general communications, and payment related ones. Keep shy of creating business accounts with the words payment, or funds, or banking in them. Scammers target these words constantly.

(4) The message contains a link to correct the payment issue and offer more information. However, if you look, the address in the email and the actual link seen at the bottom are different.

You should never trust links that are embedded in an email. Considering the example here, you can clearly see that this message is a fraud, as the website isn’t even close to a domain used by the government agency it pretends to represent.

(5) This section points out a clear grammatical error. The message uses “In other way”. In broken English, it seems to us what the person or group behind the message mean to say is, “Another way”.

We could be wrong about this message, but most scams are filled with grammatical errors. Perfect examples of such errors are the variants of this tax scam using the subject that reads, “Urgent. Your Tax Payment ID 0103xxxx is failed.” (The xxxx is a random set of four digits)

When sending official communications, government agencies and legit businesses screen their messages for grammar. It is exceedingly rare to see a legit message with such blatant mistakes.


When dealing with random messages, there are several things to keep in mind, but the most important thing to remember is the message itself.

Does the message intimidate you, or offer context that snatches your attention and maybe even frighten you with harsh penalties if ignored?

If it does, then stop for a second and think about it. If the message does any of that, instantly treat it as suspicious, and check for the types of things we flagged in our image.

If in doubt, call the business or agency on the phone, ignoring any links or contact details in the email. Instead, look their listed number up in a phonebook and communicate with them that way.

Just remember, especially since this example is related to taxes, the IRS will never ask for information over email. If there are errors, the IRS will send certified mail, and call you directly. Moreover, they are completely willing to prove who they claim to be.

It can be hard to break habits, but the effort is worth it. When it comes to scams like this, the criminals are hoping that you will just click the link for more information and fail to notice the inconsistencies.

This is why, if anything, you never - ever - click links that are randomly sent via email. The same goes for attachments; they should be avoided, even if they are simple HTML files, or harmless looking Word or PDF documents.

In the end, if a message wants something from you, information, or an action such as following a link or opening a file, it’s suspect. If it wants these things, and you have no idea who the sender is or why they contacted you, press the delete button and move on.

Like this article? Please share on Facebook and give The Tech Herald a Like too!

From our Other Sites

Man Makes Tiny Edible Pancakes with Tiny Kitchen Tools (Video)

This Japanese guy cooks up some pancakes…nothing special there right? Well he uses tiny implements to do it and makes perfect little pancakes. Kinda cool and they look tasty!

What Color is this Dress?

White and Gold or Blue and Black?
Well this one has been trending all over the web, just what color is this dress? It all started in Scotland when the mother of a bride-to-be sent a picture to her daughter asking what she thought of the dress. The bride and groom each saw the image differently, this then got posted online and picked up by some viral sites. The lighting in photo is probably  causing different people to see it as either white and gold or blue and black. Prof Stephen Westland, chair of color science and technology at a University in the UK told the BBC that it was impossible to see what other people see but that it was most […]

McLaren 675LT Pictures

Some great shots of the forthcoming McLaren 675LT. This coupe will get you to 60mph in less than 2.9 second and go all the way to 205mph.

McLaren 675LT Details

McLaren’s 675LT will debut at this year’s Geneva show and promises some eye-popping performance. The coupe only 675LT has a 3.8 liter V8 that will get you from 0-60mph in less than 2.9 seconds and to 124mph in less than 7.9 secondsMore than a third of the parts have been changed compared with its stable mate […]

McLaren 675LT Wallpaper

Some cool McLaren 675LT Wallpaper. The McLaren 675LT is the latest coupe to come from the supercar maker and has a top speed of 205mph.Click on an image to open a page with multiple sizes that you can download to use as wallpaper for your mobile or desktop.More McLaren Wallpaper.

Octopus hunts on land, grabs crab (Video)

This crab is minding its own business searching the rock pools for food when suddenly an octopus leaps out of the water and grabs it. The amazing thing is that the octopus does not just jump on the crab it actually pulls it all the way back to the rock pool it came from. If you check the second video you will see it is not unknown for octopus to come out of the water and the one in the second video has a crab with it, though is not hunting one! Octopus Walks on Land at Fitzgerald Marine Reserve The video was taken by Porsche Indrisie in Yallingup, Western […]

Stunning Mars Rover Selfie

This image by the Curiosity Mars rover is not exactly your typical selfie. It is made up of a bunch of images taken by the rover during January 2015 by the Mars Hand Lens Imager. This (MAHLI) camera is at the end of the robot’s arm. For a sense of scale the rover’s wheels are about 20 inches diameter and 16 inches wide. Check the annotated image below for more information on the surroundings. Also if you really want to see some detail click this very large image, 36mb, at NASA.  

How the Sahara Helps Feed the Amazon (Video)

Sahara to Amazon
This cool video from NASA shows how dust is transferred across the Atlantic to the Amazon rainforest and helps nourish the plants growing there. For the first time scientists have measured the amount of dust and the amount of phosphorus in the dust. The later acts like a fertiliser and helps replenish the phosphorus the rainforest loses each year, around 22,000 tons. Amazing how something we perceive as being desolate like a desert actually has an important role in sustaining somewhere we see as teeming with life. Image and video from NASA’s Goddard Space Flight Center.

Bouncing Laser Guided Bomb (Video)

This amazing video shows a laser guided bomb bouncing back up after hitting its target. We actually think this is a non-explosive bomb designed to test guidance systems but it is still pretty remarkable and somewhat scary.

South Koreans Swallowed by Sinkhole (Video)

Thankfully the couple survived their adventure.
This amazing footage taken from the CCTV on a passing bus shows the moment two pedestrians in South Korea fall down a sinkhole in the street! Rescue workers managed to save the pair, who were treated in a nearby hospital for minor injuries. According to reports the city authorities and the Korean Geotechnical Society are looking into the cause.