More Phishing Examples - Tax Scams!

Geoff Yeagley
Mar 14, 2018 11:21:11 AM

Tax season is upon us once again. Just like every other tax year, this also marks the beginning of the annual tax season scams that bad actors use to try and steal your information or steal your money. One of the more common scams they run is they attempt to impersonate the IRS and scare you into thinking that you need to pay some type of penalty or you will go to jail. Another scam that gets attention this time of year is scammers filing tax returns on your behalf and claiming your refund. While you need to be aware of both of these scams, I am going to share with you a phishing email that I received last month that is pretty legit, but there are some tell tale signs you can use to sniff out the scam and recognize that this is no good at all.

Since the email is pretty long, I had to break it into 2 separate screenshots. The good news is that I have outlined the points to look out for with an explanation why. Onto screenshot #1:

W2 Docusign Snip # 1.png

I am going to go through point by point why this email is concerning and if you spend a minute to review, you can clearly say this is bogus. I am going to jump around the email, starting with the subject line and working my way down:

  1. Subject Line – “Enclosed W2 Scanned Document” This is actually fairly convincing, but, my company doesn’t use DocuSign to send documents so for me, this was red flag # 1. Compass could have easily transitioned to a new system to send W-2’s out, but that would usually be communicated to employees before sending the actual document
  2. To Line – This is where the email starts to go south. Why would someone send the same DocuSign document with my W-2 to more people than just me? The simple answer is that they wouldn’t
  3. From Line – This gets even stranger to me. The “From” says “Document Share Notification” but the email address is a person’s name, not from Compass. This is done intentionally to trick you into thinking it is an important document that is being shared in hopes that you will not notice the discrepancy
  4. Logo and Background – This actually somewhat legit too. The logo appears to be close and since I have used DocuSign in the past, the “Review Documents” section looks familiar. In comparing this bogus email with another one I received from a trusted partner, the only difference is the font color of “Review Documents.” Had I skipped the other 3 points, I might be inclined to open this or click on the link. But, using the good ole “link hover” tool (where you hover your cursor over the “Review Documents” to see the URL), you find that hyperlink does not go to DocuSign. Instead, it is a shortened link using This should be a huge red flag
  5. Signature – This is where it 100% falls apart. It is sort of signed that it came from Intellispring Corporate with an email address of If you recall, in point #3 above, the email came from a Two different companies are also a glaring red flag. The last piece of confusion is that the signature is from Sharon Martin. I have no idea if Sharon Martin works for Intellispring but the fact that it was sent by Jonathan and signed by Sharon is odd at best and screams that it is a scam

    W2 Docusign Snip # 2.png
  6. Alternate Signing Method – This is actually not a bad job as if you receive a DocuSign email, for security purposes they give you an alternate signing method where you can go to the DocuSign website, enter this number, and your document will pop up to review and sign. This security feature is put in place to prevent this exact type of email that I am picking apart. I find it interesting that they used the security feature to try and convince you it is a legit email. I compared this bogus email with a legitimate DocuSign email that I received from a partner we work with and it looks pretty similar
  7. About DocuSign Footer – Everything in this part of the email is legit. In fact, if you hover over the other links that are included, they all point to DocuSign, including the link to download the DocuSign app

In summary, there are some pretty significant tell-tale signs that this is a bogus email. However, if you were to scan this quickly and not pay close attention, you could have mistaken this for being a legit email and clicked on the link. The key is to take the extra 30 seconds to properly review these types of email, especially if they are using click-bait subject lines. That 30 seconds could make the difference between carrying on with business as usual or becoming a victim of a phishing attack. Compass IT Compliance conducts simulated phishing emails to help train your staff to recognize these threats.

But what happens if you become a victim of a ransomware or malware attack? Well, that is where having a good Incident Response Plan in place becomes critical! Contact us today to learn more.

You May Also Like

These Stories on Phishing

Subscribe by Email

No Comments Yet

Let us know what you think