Tax Season: Phishing Emails, Ransomware, and Trojans. Oh My!
April 20, 2017—
4 min read
Tax season is always a prime time for phishing attacks. People are easily influenced by IRS branding and counterfeit web pages. Just a few weeks ago we wrote about a spear phishing attack where hackers obtained W-2s from a range of business sectors through a business email compromise scam.
In the short period of time since then, new tax scams have cropped up. These scams show an increase in the use of social engineering tactics to personalize emails to convince victims of their legitimacy. Hackers are preying on our innate willingness to comply with authority and appeal to our fears of the consequences associated with paying taxes late or not complying with the law. The scams and software come in a range of forms, from phishing emails that steal confidential information to ransomware and banking Trojans.
One of the scams comes in the form of a spear phishing email supposedly from the IRS Commissioner. The email includes the victim’s personal information like name, address, and personal phone, making the email seem legitimate. The email claims that the victim is entitled to a $7.5 million refund in the form of an ATM card, as long as they “update” some personal information. This scam has some obvious red flags:
- The average taxpayer would never be entitled to a refund of that magnitude
- The IRS doesn’t send tax refund information via email
- The IRS would already have all of the personal information necessary to issue a refund from your taxes
- The sender is “firstname.lastname@example.org”, a German-based free advertising-supported email service
Similar to the information “processing” scam, this attack uses an email to lure victims to a counterfeit IRS-branded page. The email contains an attachment that takes users to a webpage form with an “IRS-govCopyright.html” suffix. The form asks for the victim’s:
- Social security number
- Full name
- Email address
- Primary phone
- Employer identification number
- Employer name
- Full employer address
With all of this information, hackers can easily file fraudulent tax returns, steal the victim’s identity, or sell the information for big bucks on the dark web.
Loyalty Tax Refund
Sage Ransomware, a CryLocker variant, is delivered through a document that claims to contain the application for a new loyalty tax refund program. Although the email cites “act 2837 12a” as the new law backing this program, a basic google search comes up with no results for this so-called law. This phishing email preys on people’s urge to get something for free. Some reports even state that hackers using this type of malware are asking for up to $2,000 in bitcoin to decrypt and release files.
Hackers are asking up to $2,000 in bitcoin payment to decrypt files.
Missed Payment Deadline
Violation of IRS Policies
The last ransomware scam provides opportunities for wannabe cybercriminals by utilizing a new business model for thieves…. ransomware-as-a-service. A phishing email informs victims that their tax profile violates IRS policies and that they must review and fill out the attached form. To ensure that the victim clicks on the malicious attachment, hackers tell them that they are subject to penalties if they don’t respond. Once the attachment is clicked, Philadelphia ransomware automatically launches, encrypting all files until a ransom is paid.
One of the most dangerous scams is one that uses a tax-related lure email to get victims to open excel spreadsheets filled with macros. These macros deliver LumosityLink software, a remote access Trojan (RAT). This software allows hackers to access computers remotely to:
- Upload keylogging software
- Inject code into PC running processes
- Steal confidential information (including banking passwords and personal information)
- Format drives
- Delete/alter files
- Distribute other viruses and malware
Even Experts Fall for Scams
An article from Krebs on Security proves that even security experts fall for scams. An individual at Defense Point Security, who provides cyber security services for the federal government, was the victim of a business email compromise spear phishing attack. This attack resulted in the team member directly handing over confidential employee information in the form of W-2s to hackers.
Although the cyber security agency failed to comment, it is estimated that information from about 200-300 employees was exposed. It is surprising that an employee at such a high profile security agency would fall for an attack, but it is possible that they did not receive adequate training to look out for spear phishing scams.
What You Should Do
It is important to address these dangerous threats with your employees and train them to look out for scams so they can protect themselves, and your organization. Although many of these scams target individuals, malware and other malicious software can spread through corporate networks infecting devices and causing extreme damage.
If anyone in your organization receives a tax-related phishing email the IRS asks that you forward it to phishing@IRS.gov.
Get Advanced Email Protection
The best way to prevent these attacks is to get advanced email protection from Vade. With our email security suite, you don’t have to worry about employees making judgment calls about phishing – these dangerous emails will never end up in their inbox.
We analyze multiple behavioral and technical factors within emails and the code embedded in every attachment to ensure that no malicious software is present. Backed by artificial intelligence, our security solution can protect your organization from spear phishing, ransomware, zero-day attacks, and more.
None of the scams we list on this page has made it past Vade email security system and Vade has had a 100% success rate in stopping every CryptoLocker and Locky variant in the wild… sometimes even before they have been detected by security researchers.
Ready to defend your organization from cyber-attacks with advanced email protection? Contact us today.