Fake IRS CAPTCHA Clipboard Malware Tax Scam
A phishing email mimicking an IRS notice routes victims to a fake identity-verification page that uses a fraudulent CAPTCHA to deliver malware via the clipboard, instructing victims to paste and run a hidden command in a system dialog.
Part of: Fake CAPTCHA Malware Scams
Last reviewed: 8 June 2026
Tax season brings a surge in IRS-branded phishing, and criminals have adapted the clipboard-paste malware technique to exploit it. A victim receives an email claiming their return has been flagged for review or that an important notice requires acknowledgement. The link leads to a page bearing the IRS eagle seal, a document preview blurred for security, and a CAPTCHA box telling the visitor to press Windows+R and Ctrl+V to verify their identity before the document unlocks.
The clipboard already contains a PowerShell command placed silently by the page. Executing it downloads malware that harvests tax-related files, saved passwords, and financial credentials from the device. The malware may also search specifically for PDF and spreadsheet files with names suggesting tax returns or W-2 forms.
The IRS never requires users to run system commands to access tax notices. All IRS communications are accessible through an authenticated session at irs.gov, and identity verification uses the IRS's official secure access process — not a clipboard instruction.
How this scam works on the IRS brand
The phishing email uses the IRS letterhead and references a specific tax year and a document type such as Notice CP2000 or Letter 4883C. A View Notice button leads to a page where a document appears heavily blurred, with a CAPTCHA overlay stating: To display this secure tax document, please confirm you are not a robot — press Win+R, then Ctrl+V, then press Enter.
The executed command downloads a payload that specifically searches for financial documents, browser-stored passwords, and cryptocurrency wallet data. Unlike generic credential stealers, the IRS-targeted variant may look for files named W2, 1040, tax return, or similar in Downloads and Documents folders.
The malware then exfiltrates the collected data and may leave a remote-access backdoor for ongoing surveillance of the victim's device during the tax season.
Common red flags
- Any IRS notice page asking you to press Win+R and Ctrl+V to view a document — this is never a real IRS process
- Document is blurred pending a CAPTCHA step that requires running a system command
- Email link leads to a URL that is not irs.gov
- Notice type referenced in the email cannot be found in your IRS account at irs.gov
- Urgency framing: document expires or penalties increase if not accessed within a deadline
- The CAPTCHA instructs you to open Run, Terminal, or any system dialog
- Email header shows a sender domain other than irs.gov
How to protect yourself
- Never run keyboard commands instructed by a website CAPTCHA — close the page immediately
- Access IRS notices only by logging in at irs.gov — use the Get Transcript or Notices & Letters sections
- If you executed the command, disconnect from the internet immediately and run a full security scan
- Change passwords for banking, email, and any financial services from a different, uninfected device
- Report the phishing email to TIGTA and the IRS
- If tax documents were potentially exfiltrated, consider filing Form 14039 Identity Theft Affidavit with the IRS
How to report it
- Forward the phishing email to [email protected]
- Report to TIGTA at 800-366-4484 or tigta.gov
- Report to the FTC at reportfraud.ftc.gov
- Report to CISA at cisa.gov/report if malware was executed
- File at ic3.gov if financial loss occurred
Frequently asked questions
Does the IRS use CAPTCHA to protect tax notices?
The IRS uses secure access authentication for its online services, but it does not use clipboard-paste keyboard shortcuts as a CAPTCHA mechanism. Accessing tax notices at irs.gov requires only your login credentials and an identity verification step — never a command-line instruction.
Why does the malware specifically look for tax-related files?
Tax documents contain highly concentrated identity and financial data — SSNs, income figures, employer details, and bank account information for direct deposits. This makes them particularly valuable for identity theft and enables the attacker to file fraudulent tax returns or access financial accounts.
I ran the command but nothing visible happened. Does that mean nothing was installed?
Most malware payloads are designed to be silent and show no visible indication after execution. The absence of a visible change does not mean nothing was installed. Run a full security scan immediately and treat all stored credentials as potentially compromised.