Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:30 PM
Jay Kelley
Jay Kelley
News Analysis-Security Now

Nothing's Certain, Except Death, Taxes... & Phishing

Recent phishing attacks could mean that a tax bill is the least of your government revenue issues.

"But in this world, nothing can be said to be certain, except death and taxes." – Benjamin Franklin

Many businesses and their employees recently fell victim to a very successful spear-phishing attack that duped an unsuspecting employee into sending the company's W-2s to a company executive, who emailed the employee and asked for the W-2s to address a "financial emergency." Instead, the email was a spear-phishing attack, with all the employees' W-2s going directly into the hands of the attacker or attackers, who now have the names, addresses, Social Security Numbers (SSN), wages and tax information for all of the company's employees -- a treasure trove of information that coud lead to false tax claims, identity theft and other financial catastrophes.

But, the IRS began warning accountants and tax professionals in January that they, too, were under attack by hackers, and not with just one scam, but at least two.

In the first scam, an accountant or tax professional received an email from a prospective client -- really the attacker -- stating that they were looking to hire someone to prepare their personal or business taxes. The attacker might use the name of a friend or associate, who has also been hacked, as a reference in their email, to avoid suspicion and ease the mind of the accountant or tax professional.

The attacker would include a link to a website, or an Adobe Acrobat or other file attachment with an embedded link, claiming that the link led to their financial information. Once the accountant or tax pro clicked the link, the website would pilfer the accountant's or tax pro's email address, user name, password and likely much more.

The attackers begin the cycle all over again by sending out another phishing email to the clients of the accountant or tax professional they initially attacked. After stealing their email address, the attacker asks for the clients to click on a link in the email or on an attachment to re-enter their financial information or their user name and password for the hacked accountant’s or tax pro’s online software or website. When a client falls for this phishing attack, their information wis pinched, and it's likely their tax return will end up being claimed by the attacker.

Yet another phishing attack forced the Internal Revenue Service to send yet another alert out to accountants and tax professionals. In this attack, the attackers sent an email to an accountant or tax professional indicating that they have been locked out of their tax preparation software due to "security issues."

Under tight deadlines and tremendous pressure, this is the last thing the accountant or tax professional needed to see! The phishing email included a link that would supposedly unlock the software for the accountant or tax pro. Desperate to ensure that their tax preparation software was secure and accessible, the accountant or tax professional would click on the link provided with no questions asked or without any suspicion.

Unfortunately, the link led to a phishing website requesting the accountant's or tax professional's user name and password for the tax preparation software, so that the software could be unlocked. Upon entering their user name and password, the attacker would have all the information needed to break into the tax preparation software and steal the financial and tax information for all the accountant's or tax pro's clients!

Of course, tax phishing scams are not just limited to the United States. In Canada, for instance, attackers have been sending phishing emails posing as the Canada Revenue Agency (CRA), informing the recipient of the email that, due to a recalculation of their taxes from the prior year, they are either due a refund, or should be receiving more in their tax return. The link in the email leads to a bogus website in which the user is asked to re-enter their personal and financial data, including, in some cases, their user name, passwords and to even answer questions like their mother's maiden name. This data is then used by the attackers to access the user's tax refund, to access their finances and bank accounts, and to rob them.

In Australia, attackers pose as the Australian Tax Office (ATO), sending the unsuspecting recipient what they may believe is an email to access their next Online Activity Statement, or may dupe them into believing that they are due a refund or an additional amount in their tax refund, that they owe additional taxes, or to reconfirm or update their tax file number. If the user clicks on the link in the email and provides their personal and financial information, their accounts are pillaged and personal information is quickly posted for sale on the Dark Web.

The United Kingdom is not immune to these phishing attacks, either. The phishers send unsuspecting users a "tax refund notification" email, posing as Her Majesty's Revenue & Customs (HMRC), with a link to a false webpage so that they may enter their banking information, so that their phony "tax refund" may be deposited for them automatically. Only the poor user doesn't get a tax refund but, instead, loses their hard-earned money to the unscrupulous phishing attacker.

Having personally received a spear phishing email several years ago claiming to be from the IRS, signed by a supposed IRS agent, but with several misspellings and grammatical issues as well as an outdated IRS logo on the "official" email letterhead -– in addition to being "vished" by several calls and "smished" by a few SMS texts from the "Internal Revenue System" to my cellphone, all with a Washington, DC area code (202) and with a caller ID of "I.R.S.," all threatening me with arrest if my credit card number wasn't provided for payment of my supposed back taxes –- it becomes quickly clear that, if the person receiving the threatening emails, calls and texts is not in or familiar with cybersecurity, they can easily be fooled and feel threatened to immediately turn over their personal or financial information.

So, what can be done to halt these attacks on accountants and tax professionals, and, ultimately, you and your organization's tax and financial data?

In the US, IRS and other international tax agencies try to emphasize to taxpayers that they will not typically initiate contact via email or text message requesting personal or financial information. Taxpayers and tax professionals alike should never open an attachment or link from an unknown or suspicious source and should be aware of email messages with misspellings and awkward grammatical structure. Still, there needs to be other, stronger, fail-safe measures to ensure tax professional and taxpayer security.

Existing email security software may catch some of these phishing attacks, but it's unlikely, based on their own capture statistics, that they will catch sophisticated phishing attacks. And, it takes only one, single, successful phishing attack to gain access to the tax, financial and even personal information for every client that an accountant or tax professional has, ruining their reputation and possibly destroying a business that took years to create.

The only way to ensure that all email-based phishing attacks are stopped before they can happen is with isolation.

Isolating all web access ensures that all email-based phishing attacks requiring users to click on a link to initiate an attack won't be successful. That's because, once the user clicks on the link in the phishing email or attachment, their web access is isolated; the selected web page is executed in the isolation platform; the web page proxied; and only a safe, clean, malware-free web page is returned to and rendered for the user. Some isolation platforms can even eliminate credential theft by allowing websites to be rendered in read-only mode, preventing users from entering their name, password or any other sensitive information into a web form.

So, if you have deployed isolation for the accountant or tax professional you support, then you can be assured that phishing attacks targeting their sensitive financial data and their customers' tax information will be stopped cold, maintaining their customers' financial security and the reputation and integrity of their business. But, if you haven't, you might want to do at least an informal security audit before you have them file your taxes.

Jay Kelley is Senior Product Marketing Manager for Menlo Security. Jay also co-authored the book Network Access Control for Dummies published by John Wiley & Sons in 2009.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-22
All versions of package cabot are vulnerable to Cross-site Scripting (XSS) via the Endpoint column.
PUBLISHED: 2020-09-21
Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page.
PUBLISHED: 2020-09-21
Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
PUBLISHED: 2020-09-21
Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page.