Tax Season: Phishing Emails, Ransomware, and Trojans. Oh My!

Tax season is always a prime time for phishing attacks. People are easily influenced by IRS branding and counterfeit web pages. Just a few weeks ago we wrote about a spear phishing attack where hackers obtained W-2s from a range of business sectors through a business email compromise scam.

In the short period of time since then, new tax scams have cropped up. These scams show an increase in the use of social engineering tactics to personalize emails to convince victims of their legitimacy. Hackers are preying on our innate willingness to comply with authority and appeal to our fears of the consequences associated with paying taxes late or not complying with the law. The scams and software come in a range of forms, from phishing emails that steal confidential information to ransomware and banking Trojans.

Phishing Emails

Huge Refund

One of the scams comes in the form of a spear phishing email supposedly from the IRS Commissioner. The email includes the victim’s personal information like name, address, and personal phone, making the email seem legitimate. The email claims that the victim is entitled to a $7.5 million refund in the form of an ATM card, as long as they “update” some personal information. This scam has some obvious red flags:

  • The average taxpayer would never be entitled to a refund of that magnitude
  • Too-good-to-be-true
  • The IRS doesn’t send tax refund information via email
  • The IRS would already have all of the personal information necessary to issue a refund from your taxes
  • The sender is “”, a German-based free advertising-supported email service

Information “Processing”

Another phishing email based scam sends victims an email to let them know that it is time for their information to be “processed” – instead, it is being stolen. The email takes victims to a fake IRS-branded page where they are asked to fill in all of their personal information, starting with their social security number. This phishing scam is able to bypass standard intrusion detection systems (IDS) by using JavaScript AES Encryption.

By using JavaScript AES encrypted web pages, hackers are able to bypass most intrusion detection systems.

Phishing Form

Similar to the information “processing” scam, this attack uses an email to lure victims to a counterfeit IRS-branded page. The email contains an attachment that takes users to a webpage form with an “IRS-govCopyright.html” suffix. The form asks for the victim’s:

  • Social security number
  • Full name
  • Email address
  • Primary phone
  • Birthday
  • Employer identification number
  • Employer name
  • Full employer address

With all of this information, hackers can easily file fraudulent tax returns, steal the victim’s identity, or sell the information for big bucks on the dark web.


Loyalty Tax Refund

Sage Ransomware, a CryLocker variant, is delivered through a document that claims to contain the application for a new loyalty tax refund program. Although the email cites “act 2837 12a” as the new law backing this program, a basic google search comes up with no results for this so-called law. This phishing email preys on people’s urge to get something for free. Some reports even state that hackers using this type of malware are asking for up to $2,000 in bitcoin to decrypt and release files.

Hackers are asking up to $2,000 in bitcoin payment to decrypt files.

Missed Payment Deadline

In another case of malware infiltration, an email informs victims that they have missed a payment deadline, and asks them to download their invoice. In reality, the invoice is a zipped JavaScript file that launches Sage Ransomware. This email attack relies on the taxpayers’ desire to comply with the law and provides them with a sense of urgency – ensuring that their victims will quickly comply and unknowingly deploy the malicious software.

Violation of IRS Policies

The last ransomware scam provides opportunities for wannabe cybercriminals by utilizing a new business model for thieves…. ransomware-as-a-service. A phishing email informs victims that their tax profile violates IRS policies and that they must review and fill out the attached form. To ensure that the victim clicks on the malicious attachment, hackers tell them that they are subject to penalties if they don’t respond. Once the attachment is clicked, Philadelphia ransomware automatically launches, encrypting all files until a ransom is paid.

Banking Trojans

IRS Privacy Policy

One of the most popular scams is a phishing email that uses IRS branding to convince users to open and download malicious software. The email claims that the IRS has updated its privacy policy and that they are sending the updated version to all taxpayers. It also includes a bogus claim that one of the documents has “mandatory encryption” so victims must enable macros to view the document. Enabling macros allows the malicious Dridex BotNet 1105 banking Trojan to automatically download and infiltrate the computer, making it easy for hackers to steal banking information.

Remote Access

One of the most dangerous scams is one that uses a tax-related lure email to get victims to open excel spreadsheets filled with macros. These macros deliver LumosityLink software, a remote access Trojan (RAT). This software allows hackers to access computers remotely to:

  • Upload keylogging software
  • Inject code into PC running processes
  • Steal confidential information (including banking passwords and personal information)
  • Format drives
  • Delete/alter files
  • Distribute other viruses and malware

Even Experts Fall for Scams

An article from Krebs on Security proves that even security experts fall for scams. An individual at Defense Point Security, who provides cyber security services for the federal government, was the victim of a business email compromise spear phishing attack. This attack resulted in the team member directly handing over confidential employee information in the form of W-2s to hackers.

Although the cyber security agency failed to comment, it is estimated that information from about 200-300 employees was exposed. It is surprising that an employee at such a high profile security agency would fall for an attack, but it is possible that they did not receive adequate training to look out for spear phishing scams.

What You Should Do


It is important to address these dangerous threats with your employees and train them to look out for scams so they can protect themselves, and your organization. Although many of these scams target individuals, malware and other malicious software can spread through corporate networks infecting devices and causing extreme damage.

If anyone in your organization receives a tax-related phishing email the IRS asks that you forward it to

Get Advanced Email Protection

The best way to prevent these attacks is to get advanced email protection from Vade. With our email security suite, you don’t have to worry about employees making judgment calls about phishing – these dangerous emails will never end up in their inbox.

We analyze multiple behavioral and technical factors within emails and the code embedded in every attachment to ensure that no malicious software is present. Backed by artificial intelligence, our security solution can protect your organization from spear phishing, ransomware, zero-day attacks, and more.

None of the scams we list on this page has made it past Vade email security system and Vade has had a 100% success rate in stopping every CryptoLocker and Locky variant in the wild… sometimes even before they have been detected by security researchers.

Ready to defend your organization from cyber-attacks with advanced email protection? Contact us today.