The approach the scammer uses below is an effective one - provide so little detail that the user is compelled to click on the attachment just to figure out what the email is about and if it is legitimate. And once they click, it is too late. DO NOT CLICK ON ANY ATTACHMENTS in emails that appear to be from the IRS or other government agencies.
I recommend looking at the "message source" and finding the REPLY-TO address and see what that says. What does it say in this case? firstname.lastname@example.org. Not exactly the U.S. Treasury. I then usually look for another field, to see where the email may have been routed from. But in this case, that didn't help as the scammer was able to hijack using yahoo mail. Probably hacked into someone's account.
Okay, here is what it looks like. It's simple, but it does get people to click on the attachment and that is where the trouble begins for the user. So don't click on any links in these types of email.
Subject: YOUR COMPENSATION FUNDS TRANSFERRING TO YOUR REPRESENTATIVE (MRS. JOYCE SMITH), RECONFIRM TO PROCEED
From: U.S Treasury Office (email@example.com)
Sent: Sat 4/13/13 5:16 PM
Attachments: 1 attachment | Download all as zip (2.0 KB)
The details.txt (2.0 KB)
Parts of this message have been blocked for your safety.
View the file for your message details.