Tax season is always a prime time for phishing attacks. People are easily influenced by IRS branding and counterfeit web pages. Just a few weeks ago we wrote about a spear phishing attack where hackers obtained W-2s from a range of business sectors through a business email compromise scam.
In the short period of time since then, new tax scams have cropped up. These scams show an increase in the use of social engineering tactics to personalize emails to convince victims of their legitimacy. Hackers are preying on our innate willingness to comply with authority and appeal to our fears of the consequences associated with paying taxes late or not complying with the law. The scams and software come in a range of forms, from phishing emails that steal confidential information to ransomware and banking Trojans.
One of the scams comes in the form of a spear phishing email supposedly from the IRS Commissioner. The email includes the victim’s personal information like name, address, and personal phone, making the email seem legitimate. The email claims that the victim is entitled to a $7.5 million refund in the form of an ATM card, as long as they “update” some personal information. This scam has some obvious red flags:
- The average taxpayer would never be entitled to a refund of that magnitude
- The IRS doesn’t send tax refund information via email
- The IRS would already have all of the personal information necessary to issue a refund from your taxes
- The sender is “email@example.com”, a German-based free advertising-supported email service
Similar to the information “processing” scam, this attack uses an email to lure victims to a counterfeit IRS-branded page. The email contains an attachment that takes users to a webpage form with an “IRS-govCopyright.html” suffix. The form asks for the victim’s:
- Social security number
- Full name
- Email address
- Primary phone
- Employer identification number
- Employer name
- Full employer address<