The emails have links to IRS.gov-like websites. These pretend to be about the taxpayer's refund, electronic return or tax account and offer a "temporary password" or "one-time password" to "access" the files to submit the refund. Instead, it contains a malicious file
The perpetrators are utilizing dozens of compromised websites and web addresses that pose as IRS.gov. The contained files infect computers and those controlling the malware may gain control of a taxpayer's computer or download software that tracks every keystroke, eventually giving them passwords to sensitive accounts.