April 15 marks the Internal Revenue Service’s (IRS) tax filing deadline for 2019. While many taxpayers are rushing to file their returns, cybercriminals are also preparing to cash in on the tax season. Fraudsters and cybercriminals use the tax season as a social engineering lure to deceive people into unwittingly handing out credentials, money, and personally identifiable information (PII).
Many cybercriminals also use the tax season to deliver threats like ransomware, spyware, and banking trojans. Others use fake IRS phone calls and online services to trick taxpayers into sending money to fraudster-owned accounts. In fact, fake IRS calls reportedly cost 12,000 victims US$63 million in losses in 2018.
Here’s what you need to know about tax scams and what you should look out for to avoid them.
[Trend Micro Research: Behind Tax Fraud: A Profile of IRS Scammers]
IRS tax scams typically begin with a spam email posing as the IRS. These spam emails can redirect unsuspecting users to phishing- and malware-ridden sites. They can also come with malicious attachments such as spyware, backdoor or banking malware, and remote access trojans impersonating legitimate files. These threats are designed to steal the unwitting user’s PII, which an attacker can then use to access the victim’s accounts or sell in underground marketplaces.
[BEST PRACTICES: Identifying and Mitigating Phishing Attacks]
These threats became so prevalent that, in 2004, the IRS came up with a list: the Dirty Dozen. Compiled annually, the Dirty Dozen list details the most common scams to help protect taxpayers. Here are the IRS’ Dirty Dozen for 2019:
Many of the socially engineered, tax-related spam emails we saw affected victims in countries such as the U.S., Australia, New Zealand, and the U.K. the most. Here are some of samples of tax fraud emails:
This socially engineered spam email pretends to be a refund notification from the Australian Tax Office (ATO), saying that the recipient is eligible for a hefty refund. It instructs the user to open the attached archive and extract the files in their system to get the refund.
This phishing email, pretending to be from the IRS, urges the recipient to open the HTML file attachment. Upon opening the file, it displays a fake Adobe Reader log-in prompt and tricks the user into entering their credentials in order to download the supposed tax clearance certificate.
[READ: Post-Tax Season Spam Campaign Delivers URSNIF to North American Taxpayers]
The keywords used in this phishing email sample uses “Tax Exemption Notification” as the email subject. To appear legitimate, the email body contains an image banner of the IRS. The message tells the recipient that he is exempted from reporting and is eligible for other financial benefits. The sender pretends to assist the recipient, but in reality, the cybercriminal behind this scam is phishing for information by urging the user to give out sensitive information by completing the fake W-8BEN form in the attached PDF file.
[Interactive: How Much Personal Information is Worth in the Cybercriminal Underground]
This tax-related scam appears to come from HM Revenue and Customs, a British government institution. It tricks users into opening the message by using the subject “tax refund.” This email invites users to download the attached form, which then loads a phishing page that captures information.
[Security 101: Business Email Compromise and Tax-Related Threats]
Ransomware operators also take advantage of taxpayers in Australia and New Zealand by sending spam emails using “penalty tax” in its subject heading. The “More Information” button takes users to a landing page while a file-encrypting malware is downloaded to the victim’s system. The IRS regularly issues scam alerts so taxpayers can avoid them.
This spam email pretends to be from the Inland Revenue Authority of Singapore (IRAS), notifying that the user’s tax return wasn’t properly filed. It prods the taxpayer to download and open an attachment disguised as a tax return report. The file has malicious macro code that delivers a trojan downloader.
Taxpayers and businesses should exercise caution. Never open links or attachments that come from unexpected or suspicious senders, especially when they claim to be from officials or agents of government organizations. Unsolicited email from an IRS-related component such as Electronic Federal Tax Payment System (EFTPS) should be immediately reported to the IRS via firstname.lastname@example.org.
It also helps to stay abreast of the latest security threats and use the latest security technologies such as Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security, which can effectively block access to malicious sites and spam email as well as detect malware. Businesses can also take advantage of Trend Micro’s Phish Insight, which provides free interactive and educational resources to reinforce the workplace’s posture against phishing.
[Avoiding Phishing Scams: How Phishing Leads to Hacked Accounts and Identity Theft]
To help taxpayers avoid IRS scams, here are the things that the IRS will never do:
The Trend Micro™ Security, Smart Protection Suites, and Worry-Free™ Business Security solutions provide comprehensive multi-device protection against threats by identifying and blocking malware and malicious links on websites and in social networks, emails, and instant messages to shielding privacy and guard against identity theft. These solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.