Email from "Income Tax Department" hides banking malware in its attachment
A spear-phishing email mimicking the Income Tax Dept carries a ZIP or PDF attachment with a banking trojan (Blackmoon) and remote-access tool. Opening it gives attackers your banking credentials and full device control.
Also known as: Blackmoon malware income tax India, fake ITR notice email malware, income tax compliance email scam, SyncFuture RAT income tax phishing
Already happened to you? Do this in the next few minutes
Call 1930 now- 1 Call 1930 — the national cyber-crime helpline — right now. The sooner you report, the better the chance of freezing the money before it moves.
- 2 Call your bank to freeze the account and block the card immediately. Use the number printed on your card, never a number from the message or caller.
- 3 File a report at cybercrime.gov.in and keep every message, screenshot, and transaction ID.
- ! If you installed any "support", "server", "refund", or remote-access app at their request (AnyDesk, TeamViewer, Quick Support, etc.): disconnect the internet now, then run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
What to do right now
- 1 Do not open any attachment in an email claiming to be from the Income Tax Department — genuine ITD notices never come as ZIP email attachments
- 2 Verify any ITD notice at the official portal: https://www.incometax.gov.in
- 3 If you opened the attachment, disconnect from the internet immediately, run a full antivirus scan, and change all banking passwords from a separate clean device
- 4 Call your bank's fraud helpline immediately to freeze your net banking and UPI access
- 5 If you installed any 'support' or 'server' or 'refund app' or remote-access app at the scammer's request (AnyDesk, TeamViewer, Quick Support, etc.), run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
- 6 Report at https://cybercrime.gov.in or call 1930 (national cyber helpline).
Was remote-access software installed?
If a scammer asked you to install AnyDesk, TeamViewer, Quick Support, or any remote-access app, your device may still be compromised.
Run SeraphSecure to detect and remove it →Red flags
- ⚠ Income Tax Department sends official notices via the ITD portal (incometaxindiaefiling.gov.in) — never by email with attachments
- ⚠ The email domain is a lookalike (e.g., incometax-notice.gov.in.*, itd-compliance.*) — not the official @incometax.gov.in
- ⚠ A Document Identification Number (DIN) in the email looks plausible but cannot be verified on the ITD portal
- ⚠ The ZIP attachment contains both a PDF and an executable — the executable is the malware
- ⚠ After opening the attachment your antivirus may flag 'SyncFuture' or 'Blackmoon' processes