Beware of These 5 Tax Scams
Fraudsters are out in full force as Tax Day approaches. Use this list to keep your company’s employees informed on what to watch out for this year.
![Image of a business executive tapping a digital button and featuring the words "IRS scam." Image of a business executive tapping a digital button and featuring the words "IRS scam."](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc3801233eb818362/64f0a614a01b5a79f85175b9/Slide_1_CoverArt.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Source: Artur via Adobe Stock
Tax Day may be on April 18, but cybercriminals and scammers have been at it for the past several months trying to dupe taxpayers.
The job falls to security teams to heighten awareness of potential threats to employees so they are aware of the latest scams that target W-9s, W-2s, and IRS form CP80, the refund form.
"Companies can prepare for these scams by warning their users of the increased risk but also ensuring that backups are up to date and tested, lateral movement options – especially for users who are still working from home – are limited, and internal patching and segmentation is up to date," says Casey Ellis, founder and CTO at Bugcrowd.
Most savvy companies likely already have been prepping for tax scams. But here's a rundown of the biggest threats this 2022 tax season.
This tax season hackers are targeting popular fintech apps and spoofing their tax notifications, according to a blog post by Avanan. Starting in February, Avanan researchers found hackers were spoofing trending fintech apps, such as Stash and Public, to steal credentials and, in the process, give victims a false sense of security that they’ve put together the correct tax documents.
Stash is a personal finance app, while Public is used for online investing. In both hacks, victims are sent an email that a new tax document is ready for them. When a victim clicks on the link, they are sent to a credential-harvesting site.
To guard against these attacks, Avanan recommends that security pros:
Tell employees not to do their personal taxes on company assets and or use their corporate email addresses.
Encourage employees to check URLs before clicking on tax-related emails.
Ask employees to log in directly to the financial institution when receiving tax notification emails.
Teach them to contact IT when they are unsure an email is legitimate.
As early as March 14, Emotet returned to its old tax-season hunting grounds with a new twist: sending out phishing emails using W-9 tax form lures to deliver Emotet payloads, according to a blog post from Cofense Intelligence.
Joseph Gallop, intelligence analysis manager at Cofense, says Emotet uses the IRS logo, a specific mention of the organization employing individual recipients, and a password with which to extract the attached password-protected archives. When the Office macro spreadsheets enclosed in the archives are opened, they request to be enabled. Once they are, Emotet .dll files are then delivered to the victim’s computer.
"Even though they took Emotet down, we published a report that said that Emotet had the ability based on its relationships with other malware operators, particularly TrickBot, that they could use TrickBot to load Emotet and rebuild their botnet," says Gallop. "We saw them pick back up in November with testing things using old email addresses, conversations from old email inboxes. Then in February they took it up a notch and are back to pre-takedown volume, where they are sending out tens to hundreds of thousands of emails a day."
Attackers are merely using a common form that people would recognize and click on, says Sherrod DeGrippo, vice president of threat research and detection at Proofpoint.
"There's no real significance to the W-9 other than that the attackers know people would know that form and click on it," DeGrippo explains. "The goal is not to get the victim to fill out the form. It’s to load the malware and steal sensitive data."
Alongside targeted email campaigns, threat actors still go old-school and make phone calls claiming to be from the IRS or a collection agency. Scammers have become very crafty, using stolen data, such as actual Social Security numbers, to appear legitimate, experts say.
During tax season, the prime targets for tax refund scams are green card holders, small-business owners, new taxpayers under the age of 25, and taxpayers over 60, according to FortiGuard Labs. Threat actors assume these people are less informed about tax policies and what to expect and are therefore more vulnerable to falling for social engineering.
There are thousands of live malicious tax scams in SMS, email, and on Web applications, says Atif Mushtaq, founder and chief product officer at SlashNext. Most are focused on identity theft, credential-stealing, business email compromise (BEC), and account takeover, he says. These social engineering attacks ask people to upload their 1040 to verify their identification. Tax returns include personally identifiable information, including Social Security numbers, addresses, and sometimes bank account information.
Here's an example of a real BEC scam using a W-2 form lure:
Hi,
I'm entering tax information for the staff of our company, and I need employees' W-2s. Would you please send them to me ASAP?Thanks
And:
Please send our W-2 Tax Documents for all employees to Tom Heald at Strategic Tax Consultants. I have cc'd him here.
Education and awareness are a company's first line of defense against these attacks, according to a recent blog on tax season scams from Lookout. Security teams should consider any form of communication that creates a time-sensitive situation a red flag. Teach employees to approach these messages with extreme caution.
In a recent blog, Digital Shadows warned security teams about a tax season scam using a CP80 form allegedly sent by the IRS. As part of the scam, a letter recipient is told that they have credit in their tax account that they will lose it if they don't respond.
Playing on a person's desire not to lose out money allegedly owed to them, the scammers then tell the victim to send their signed tax return to the "address shown above" in the letter. Keep in mind that most unexpected correspondence purportedly from the IRS is most likely not legitimate.
In a recent blog, Digital Shadows warned security teams about a tax season scam using a CP80 form allegedly sent by the IRS. As part of the scam, a letter recipient is told that they have credit in their tax account that they will lose it if they don't respond.
Playing on a person's desire not to lose out money allegedly owed to them, the scammers then tell the victim to send their signed tax return to the "address shown above" in the letter. Keep in mind that most unexpected correspondence purportedly from the IRS is most likely not legitimate.
Tax Day may be on April 18, but cybercriminals and scammers have been at it for the past several months trying to dupe taxpayers.
The job falls to security teams to heighten awareness of potential threats to employees so they are aware of the latest scams that target W-9s, W-2s, and IRS form CP80, the refund form.
"Companies can prepare for these scams by warning their users of the increased risk but also ensuring that backups are up to date and tested, lateral movement options – especially for users who are still working from home – are limited, and internal patching and segmentation is up to date," says Casey Ellis, founder and CTO at Bugcrowd.
Most savvy companies likely already have been prepping for tax scams. But here's a rundown of the biggest threats this 2022 tax season.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024