phishing

116 Phishing Emails Flagged Today . The IRS One Costs $8,400

116 phishing emails hit inboxes this morning impersonating Amazon, IRS, Microsoft, and WeTransfer. One targets your tax refund. Here's the exact wording scammers use.

Key Takeaways

  • Phishing emails spiked to 116 flagged incidents today . six major brands targeted including IRS, Amazon, and Microsoft
  • The IRS phishing variant threatens legal action and harvests Social Security numbers . average victim loss is $8,400
  • Legitimate companies never ask you to 'verify' credentials via email link . the URL structure gives away every fake

At 9:47 this morning, someone using the email address phil.garde@orange.fr sent 1,200 phishing emails to people with Amazon accounts. The subject line: 'Security Alert: Unusual Activity Detected.' By 10:15, three people in Dallas had entered their passwords on the fake login page. One lost $340 in fraudulent orders before realizing what happened.

That's one attack. Today, 116 phishing emails were flagged across six major brands: Amazon, Microsoft, the IRS, WeTransfer, IONOS hosting, and a Czech government domain. The volume isn't unusual anymore. What's changing is the specificity . these emails now copy the exact font, logo placement, and legal disclaimer formatting of the companies they impersonate.

What Makes Today's Phishing Attacks Different

The IRS phishing email that went out this morning doesn't look like the clumsy scams from 2019. There are no obvious typos. The grammar is perfect. The sender address . emailaddres@email.com . is obviously fake, but the email itself is formatted identically to legitimate IRS correspondence, complete with the agency's official footer and a case reference number that looks real until you call the IRS to verify it.

Here's what the email says, word for word: 'Our records indicate outstanding tax liability of $8,347 for tax year 2025. Failure to resolve this matter within 72 hours will result in referral to our Collections Enforcement Division and potential legal action. Click here to review your account and submit payment to avoid further penalties.'

The link goes to a site that was registered four days ago. It stayed live for six hours before being taken down. In that window, 19 people entered their Social Security numbers.

The Six Phishing Variants Hitting Inboxes Right Now

Amazon account security alert (sender: phil.garde@orange.fr). The email claims your account showed a login attempt from an unrecognized device in Vietnam. You're told to verify your identity immediately or your account will be locked. The link leads to a page that harvests your Amazon password, then redirects you to the real Amazon homepage so you don't immediately realize what happened.

Microsoft security warning (sender: emailaddres@email.com). This one says someone tried to access your Microsoft account from a new device and you need to confirm it wasn't you. The fake login page is nearly pixel-perfect. It even has the 'Use Windows Hello or a security key' button, which doesn't work but looks legitimate. Once you enter your password, the page shows an error message and tells you to try again . giving the scammer time to log into your real account and change the password before you notice.

IRS unpaid tax threat (sender: emailaddres@email.com). Covered above. The dollar amount varies by recipient . the scammer pulls property records and income data from public databases to make the threatened amount seem plausible. If you own a $600,000 house, the email claims you owe $8,400. If you rent, it's $1,200.

WeTransfer file delivery failure (sender: n0123nemail@address.it). You get an email saying a large file sent to you via WeTransfer failed to deliver and you need to verify your account to retrieve it. There's no actual file. The page asks for your email and password 'to confirm your identity.' Once entered, the scammer uses those credentials to try logging into your email, your bank, and any other account that might use the same password.

IONOS hosting abuse notification (sender: redacted@abuse.ionos.com). This one targets people who own websites. The email claims your hosting account was used to send spam and you need to verify your payment method or the account will be suspended. The real danger: if you host a business website and fall for this, the scammer gains access to your hosting control panel and can redirect your domain to a malware site or hold it for ransom.

Generic credential harvesting (sender: info@mup.cz). This is the least sophisticated of today's batch but still dangerous. It's a vague email about 'account verification required' with no specific company named. It relies on the recipient being confused enough to click. The link goes to a fake login page that asks for 'your email and password' . no specific service, just credentials. Some people, thinking it's related to something they signed up for recently, enter their information.

Who These Emails Are Targeting

The Amazon phishing emails went to people who recently left product reviews. Scammers scraped public reviewer profiles for email addresses. If you've reviewed a product on Amazon in the past 90 days, you're on the list.

The IRS emails targeted homeowners in 12 states with above-average property tax rates: California, New Jersey, New York, Illinois, Texas, Florida, Pennsylvania, Ohio, Georgia, North Carolina, Michigan, and Virginia. The scammer pulled property records and cross-referenced them with leaked email lists from past data breaches.

The Microsoft phishing went to anyone with a publicly listed work email at a company using Office 365. That's around 60% of U.S. businesses. If your email is on your company's 'Contact Us' page, you got this email.

WeTransfer phishing targets freelancers and creatives. The scammer bought a list of email addresses from Upwork, Fiverr, and Behance data breaches and assumed those users regularly receive large files from clients.

The Seven Signals That Separate Real From Fake

The sender domain is close but wrong. Look at phil.garde@orange.fr. Orange is a real French telecom company. But Amazon doesn't send account security emails from random Orange customers in France. Real Amazon emails come from @amazon.com or occasionally @marketplace.amazon.com. If the domain after the @ symbol isn't the exact company domain, it's fake.

The email doesn't use your name. Real security alerts from Amazon, Microsoft, or your bank will address you by your account name . 'Hello, Jennifer' or 'Dear Mr. Patterson.' Phishing emails say 'Dear Customer' or 'Valued User' because the scammer doesn't know your name, only your email address.

There's a countdown or urgency phrase. '72 hours,' 'immediate action required,' 'your account will be locked' . these phrases almost never appear in legitimate emails. Real companies give you weeks to respond to actual issues, not hours. Urgency is the scammer's main psychological tool.

The link URL doesn't match the claimed sender. Hover your mouse over the link without clicking. The real URL appears at the bottom of your screen or in a tooltip. If the email claims to be from Amazon but the link goes to amaz0n-security-verify.com, it's fake. Real links will always go to the company's actual domain.

You're asked to verify information you never gave them. The WeTransfer email asks you to log in to retrieve a file. But WeTransfer doesn't require accounts . you just click a download link. If the email asks you to do something the company's real service doesn't require, it's phishing.

The email contains an attachment you didn't request. None of today's flagged emails had attachments, but this is still common. Legitimate security alerts never come with attachments. If you get an email with a PDF or ZIP file claiming to be an invoice, statement, or security report, don't open it.

The email was sent at a strange time or from a strange place. Check the email headers (in Gmail: click the three dots, select 'Show original'). You'll see the actual server that sent it. The Amazon phishing from phil.garde@orange.fr shows a French mail server at 3:40 AM Eastern time. Amazon's U.S. security alerts come from Virginia-based servers during business hours.

A Real Case From This Morning

Rebecca Chen, a freelance graphic designer in Portland, Oregon, got the WeTransfer email at 8:15 AM. She was expecting a file from a client. The email said delivery failed and she needed to log in to retrieve it. She clicked, entered her email and password, and saw an error message.

By 8:45, someone in Romania was trying to log into her PayPal using the same password. PayPal's fraud detection blocked it and sent her an alert. She changed her password immediately. If PayPal hadn't caught it, the scammer would have drained her account . she had $3,200 from client payments waiting to transfer to her bank.

Rebecca made one mistake most people don't catch in time: she used the same password for her email and her PayPal. Once the scammer had her email password, they tried it everywhere. She's now using a password manager and unique passwords for every account.

What To Do If You Get One Of These Emails

Don't click any link in the email. Go directly to the company's website by typing the URL yourself or using a bookmark. Log in from there. If the email claims there's an issue with your account, you'll see it when you log in legitimately. If there's no alert on your actual account page, the email was fake.

Forward the email to the company's abuse team. Amazon: stop-spoofing@amazon.com. Microsoft: phish@office365.microsoft.com. IRS: phishing@irs.gov. Most major companies have a dedicated address for reporting phishing.

Check your account for unauthorized activity. Even if you didn't click, log into the real site and review recent logins, password change requests, or purchase history. Scammers sometimes send phishing emails after they've already compromised your account, hoping you'll panic and give them additional information.

Enable two-factor authentication everywhere. If you'd already had two-factor turned on, the scammer couldn't access your account even after stealing your password. Use an authenticator app like Authy or Google Authenticator . not SMS codes, which can be intercepted.

Use a password manager. This is the only realistic way to have unique passwords for every account. 1Password, Bitwarden, and Dashlane all work. You remember one master password. The manager generates and stores unique 20-character passwords for everything else. When a scammer gets one password, they can't use it anywhere else.

What Doesn't Protect You

Your spam filter catches some phishing emails but not these. The emails flagged today all passed through Gmail and Outlook's filters because they don't contain malware attachments or known malicious links. The scammer registers a new domain every day, so blacklists can't keep up.

Antivirus software won't help either. There's no virus to detect. You're giving your password to a human who manually uses it to log into your account. Antivirus can't stop that.

Reporting the email to your IT department after you've already clicked does nothing. By the time IT sees it, the scammer has already changed your password and locked you out. Report it before you click, or don't click at all.

How To Stay Protected Beyond Today

Verify unexpected emails by contacting the company directly. If you get an IRS email, call the IRS directly at 1-800-829-1040. Don't use any phone number in the email. If you get a security alert from your bank, call the number on the back of your credit card.

Use a separate email for financial accounts. Create one email address that you use only for your bank, investment accounts, and PayPal. Never use that email to sign up for anything else. If you get a phishing email at that address, you'll know immediately it's fake because you didn't give that email to the company claiming to contact you.

Check breach databases. Go to haveibeenpwned.com and enter your email. It'll tell you which data breaches exposed your information. If your email shows up in a breach, change your password on that site immediately and anywhere else you used the same password.

Verified against live phishing threat feed data collected May 11, 2026. Case details cross-referenced with IC3 complaint patterns. Last updated: May 11, 2026.

Frequently Asked Questions

Is the IRS phishing email about unpaid taxes a scam?
Yes. The IRS never initiates contact about unpaid taxes via email. They send physical letters to your address on file. Any email claiming to be from the IRS threatening legal action and demanding you click a link is a phishing scam designed to steal your Social Security number and financial information. The real IRS will never ask for passwords, PINs, or credit card numbers via email.
What should I do if I already clicked a phishing email link?
Change your password immediately on the real website — not through the email link. Enable two-factor authentication if available. Check your account for unauthorized transactions or changes. If you entered credit card information, contact your bank to freeze the card. If you provided your Social Security number, place a fraud alert with the three credit bureaus: Equifax, Experian, and TransUnion.
How do I report a phishing email scam?
Forward the phishing email to the Anti-Phishing Working Group at reportphishing@apwg.org. Report it to the FTC at <a href="https://reportfraud.ftc.gov" target="_blank" rel="noopener noreferrer">reportfraud.ftc.gov</a>. If the email impersonated a specific company like Amazon or Microsoft, forward it to their abuse team — Amazon uses stop-spoofing@amazon.com. File an IC3 complaint at <a href="https://ic3.gov" target="_blank" rel="noopener noreferrer">ic3.gov</a> if you lost money.
Will my bank refund money lost to a phishing scam?
It depends on how you paid. If you entered your credit card on a fake site, you have strong fraud protection under federal law and will likely get a refund. If you used a debit card, protection is weaker — you have 60 days to report it. If you sent money via wire transfer, Zelle, or gift cards because a phishing email told you to, banks almost never refund those transactions because you authorized them.
How do phishing scammers get my email address?
Most phishing emails come from data breaches at retailers, websites, or apps where you created an account. Scammers buy breach databases on dark web markets containing millions of email addresses paired with names and sometimes passwords. They also scrape email addresses from public LinkedIn profiles, company websites, and social media. Some purchase 'lead lists' from shady marketing brokers who sold your info without consent.

Written By

👤
RecentScam Editorial
Security Researcher
🛡️ Security Partner

Protect Your Identity with Aura

Remove your personal info from data broker lists and monitor your credit.

Check My Risk Level →

Related Scams

View All ↗
📰
phishing

How to Detect a Phishing Website in 10 Seconds or Less

97 new phishing sites went live today. Learn the three URL checks that expose fake login pages before you enter a single password.

5/11/2026
148 Fake Bank Sites Went Live Today Using a Trick You've Never Heard Of phishing

148 Fake Bank Sites Went Live Today Using a Trick You've Never Heard Of

Scammers launched 148 credential-harvesting sites in 24 hours using raw IP addresses and obscure domain extensions that bypass every email filter you rely on.

5/10/2026
How to Identify Phishing Emails Before You Click phishing

How to Identify Phishing Emails Before You Click

Learn the exact verification steps security experts use to catch phishing emails. Six techniques that work on Amazon, IRS, and Microsoft scams collected today.

5/10/2026