SCAM: Your Federal Tax Payment has been rejected (NCSAM)

Itís October, and that means this month is National Cyber Security Awareness Month. So in the spirit of Stop. Think. Connect., The Tech Herald offers an examination of the latest scam that is clogging inboxes the world over.

The email is a run of the mill Phishing scam. It starts by alerting you to the fact that your Electronic Federal Tax Payment System (EFTPS) payment has been rejected. In addition, the scam has been known to say there has been an error with payment, or that a payment needs to be made. Some of the subjects also warn you that this is the second notice.

Below is an image of the message.

On its face, it looks both important and legit. It appears to come from an official domain (.gov), and itís filled with details that are confusing enough to make you want to start clicking links for more information.

Thatís the goal. The people blasting this message around the globe want you to click their link. Once you arrive at the page, they plan to rob you of personal information by having you fill out a form. Messages like this can also be used to deliver Malware, which is pushed to your system the moment you visit the website.

As we mentioned, this is National Cyber Security Awareness Month. The National Cyber Security Alliance has launched an initiative called Stop. Think. Connect. in support of NCSAM, which we cover in detail here.

According to, the Stop. Think. Connect. program is about taking a moment to stop and think about the places we visit online, the information that we share, and the communities in which we participate before and while we are connected to the Internet.

Weíre going to look at this message again and break it down using the Stop. Think. Connect. model, point out some of the obvious and not-so-obvious red flags. If you have questions, please donít hesitate to leave a comment and ask us.

Letís start with the message itself again, only this time weíve highlighted some areas that instantly stood out to us when we first viewed it.

Before we dig into the numbered areas, if you are ever presented with a message similar to this, ask yourself a question. Have I used electronic payments recently to send money to the IRS or other government agency? Have I ever done this? If the answer is no, delete the message and forget it.

If the answer is yes, then skip the email and call the agency direct, by looking the phone number up in a phonebook. You can also enter the URL directly into your browser. In this case it is This is a legit domain, which has been abused for the sake of the scam.

Below are the red flags, marked in the order we spotted them. With each one, we will explain it and give our thoughts on the marker.

(1) This marker is the encoding of the message. It is used to display international characters when sending a message. For example, this message would be able to properly transmit and display messages from Central Europe.

The problem is that by default, most email clients would never use this encoding, unless it is mandated by the operating system. Western European (ISO) is a common default in the U.S., so when an encoding is displayed like this and the message is from an unknown source, use caution and be skeptical.

Also, the encoding is why you will sometimes see messages in a completely different language from you own. It is common to see Spam and Phishing messages written completely in Russian for example. If you canít read it, delete it.

(2) The From field and the subject of any message that looks to capture your attention with panic and fear should be instantly suspect.

In this case, the From address (the sender) says it is EFTPS Tax Payment, and on the surface uses a .gov email address. However, the headers to the email message show it came from a Gmail account. (Why would the government send you an important message like this from a GMail account?)

Most users do not know how to view email headers. However, even without viewing the headers, the From field and subject are enough to delete this message. Remember the initial questions? They are related to these fields, so if the answer is no, then delete this message. Otherwise, as we suggested, skip this message anyway and call the agency directly.

[Note: In Outlook, to view the full headers for a message, right click on it, and select Options. The headers are in the box on the bottom.]

(3) The To field, where the message was set, is also another red flag. Here you can see it is addressed to the contact address at mp3q. This is a junk collector, and is never used for legitimate communications. With this knowledge alone, we can safely ignore everything this message says.

However, what you cannot see in the image is the second address that the message was sent to. The second address is a legit address used for business communications, but it isnít used for tax payments. So again it is safe to ignore the message.

The point to this is to remember to look at where the suspect message is delivered and to think of the context for both the address used and the message itself. Itís useful to have an email address associated with friends and business, and one that is purely for junk collection.

After that, you can separate business emails into general communications, and payment related ones. Keep shy of creating business accounts with the words payment, or funds, or banking in them. Scammers target these words constantly.

(4) The message contains a link to correct the payment issue and offer more information. However, if you look, the address in the email and the actual link seen at the bottom are different.

You should never trust links that are embedded in an email. Considering the example here, you can clearly see that this message is a fraud, as the website isnít even close to a domain used by the government agency it pretends to represent.

(5) This section points out a clear grammatical error. The message uses ďIn other wayĒ. In broken English, it seems to us what the person or group behind the message mean to say is, ďAnother wayĒ.

We could be wrong about this message, but most scams are filled with grammatical errors. Perfect examples of such errors are the variants of this tax scam using the subject that reads, ďUrgent. Your Tax Payment ID 0103xxxx is failed.Ē (The xxxx is a random set of four digits)

When sending official communications, government agencies and legit businesses screen their messages for grammar. It is exceedingly rare to see a legit message with such blatant mistakes.


When dealing with random messages, there are several things to keep in mind, but the most important thing to remember is the message itself.

Does the message intimidate you, or offer context that snatches your attention and maybe even frighten you with harsh penalties if ignored?

If it does, then stop for a second and think about it. If the message does any of that, instantly treat it as suspicious, and check for the types of things we flagged in our image.

If in doubt, call the business or agency on the phone, ignoring any links or contact details in the email. Instead, look their listed number up in a phonebook and communicate with them that way.

Just remember, especially since this example is related to taxes, the IRS will never ask for information over email. If there are errors, the IRS will send certified mail, and call you directly. Moreover, they are completely willing to prove who they claim to be.

It can be hard to break habits, but the effort is worth it. When it comes to scams like this, the criminals are hoping that you will just click the link for more information and fail to notice the inconsistencies.

This is why, if anything, you never - ever - click links that are randomly sent via email. The same goes for attachments; they should be avoided, even if they are simple HTML files, or harmless looking Word or PDF documents.

In the end, if a message wants something from you, information, or an action such as following a link or opening a file, itís suspect. If it wants these things, and you have no idea who the sender is or why they contacted you, press the delete button and move on.

Like this article? Please share on Facebook and give The Tech Herald a Like too!