A new IRS tax scam promises a $5,000 refund courtesy of the world’s richest man – Elon Musk – tricking victims into handing over a slew of personal information, including driver’s licenses and bank account numbers.

According to new research by Cofense published Thursday, the IRS-spoofing emails use the tech mogul to lure victims into a full-fledged financial takeover – effectively giving hackers everything they need to drain bank accounts and carry out identity theft.

It’s just one of dozens of Internal Revenue Service-themed phishing campaigns recently launched by cybercriminals attempting to take advantage of those in need during the busy US tax season, but this one capitalizing on Elon Musk was too good to pass up.

How the IRS refund scam works

The Musk name-dropping email looks pretty benign at first glance.

Addressed to “Dear Taxpayer,” and titled “Update Regarding Your Refund,” the email, dated only three days ago, includes an IRS-branded image header and a sender name set to “Internal Revenue Service (IRS).”

Cofense says the threat actor also adds a “legitimate IRS phone number” to a department called the IRS Practitioner Priority Service at the bottom of the message, making it that much more convincing to the recipient.

“You've received a tax refund from the IRS, courtesy of Elon Musk. To claim it, use the secure link below. Be sure to complete this soon,” it says, appearing to come from the IRS Support Team.

If the reader clicks the "View Your Tax Refund” call-to-action button smack in the middle of the email, they are immediately redirected to the first of a seemingly endless stream of credential-harvesting sites, disguised as an application process to claim their refund.

Congratulations! You have been selected for $5,000 in funding from the IRS and Elon Musk

You've been selected to join the Elon Musk Dogecoin Initiative a unique opportunity to be part of something truly groundbreaking,” the page says, also notably missing a comma after Initiative.

Flanked on either side by images of Musk, the phishing site spouts off a variety of reasons why Musk is giving away the free refund, such as the war in the Middle East, gas prices, and cost-of-living increases. The site also continues to use IRS branding to make it appear legitimate, the research says.

The ridiculously long missive from the alleged Musk then goes into intricate detail about the refund process and actions required for the user to set up their complimentary banking and cryptocurrency accounts to obtain the "free" funds.

Apparently, "compensation for the position is competitive and based on experience," while the victim must not only be prepared to take on certain “key responsibilities” such as maintaining accurate banking account records and communicating with the internal team, but also be “reliable, trustworthy, and able to maintain strict confidentiality.“

Victims are pushed to hand over IDs and bank details

After another poorly written, lengthy, and convoluted explanation about how the “refund scheme” works (guaranteed to make your head spin), the victim is then sent to yet another page where the real scamming begins.

“Every $10,000 I provide… you purchase $9500 in bitcoin… take $500 for your commission…send back $9500 Bitcoin… weekly process… you get $500 back plus the $5000 benefit…” and so on.

The user is presented with an application form in which they are expected to give away loads of personal information, from basic contact information such as name, address, and phone number to a driver’s license number, employer, and even their banking institution.

After entering their information, users are sent to yet another page – this one a fake investment platform tied to the fictional “ElonMusk Dogecoin Initiative.”

At some point, victims are prompted to upload photo identification and provide bank routing and account numbers.

And if that’s not enough, the victim is eventually sent to a Bitcoin deposit page, complete with a QR code, that leads them directly to the scammer's BTC wallet address – which is now linked directly to the victim’s bank account.

Cofense says the threat actor funnels the stolen data via a bot on Telegram, pushing it directly into a threat-actor-controlled channel on the encrypted messaging platform.

Although Cofense has not observed any transactions in the attacker's crypto wallet as of Thursday, it says the threat actors would be capable of "much more sophisticated identity theft and social engineering attacks" beyond the initial data taken, with the added ability to "steal money directly from the victim’s bank account."

The Musk phishing lure aligns with this year’s IRS’s Dirty Dozen tax scams list, which warns that impersonation schemes – including phishing, smishing, and AI-powered robocalls – remain one of the most persistent threats during the tax season.

The federal agency has repeatedly warned it does not contact taxpayers via email, text message, or social media to request personal or financial information.

---

Unlock more exclusive Cybernews content on YouTube.