Accountants are not the only people preparing for tax season
Accountants are not the only people preparing for tax season

Tax season is upon us and that means the bad guys will be getting very busy over the next few months. Tax season is historically a golden opportunity for malicious actors to scam victims out of their tax refunds as well as their very identities.

In the first two weeks of this new year we have already seen a number of potentially dangerous phishing emails leveraging tax and IRS related issues to social engineer marks into coughing up valuable data or access to exploitable email accounts. What follows is a survey of the more interesting ones shared with us by customers using the Phish Alert Button (PAB).

1. Fake IRS Forms

The first tax-themed phish we'll show you pushes a fake IRS form on unwitting users. In this phish the bad guys spoof the IRS commissioner, directing potential marks to fill out a bogus IRS form in order to claim "accrued tax refund benefits."



The attached PDF is a slick, multi-page form that requests a variety of sensitive personal data...

...including bank account information (allegedly needed to allow the IRS to transfer tax refund money to the victim).


Anyone filling out and returning that fraudulent form will be giving up everything the bad guys need to know to steal their identities, claim any actual tax refunds due them from the IRS, and drain their bank accounts.

The form name (W-8BEN-E) is, in fact, a real IRS form ("Certificate of Status of Beneficial Owner for United States Withholding and Reporting"). 


The real IRS form, however, does not request bank account information. The bad guys likely chose this particular form to spoof because most tax payers would likely not be familiar with it and therefore would be less likely to suspect something was amiss.

2. Targeted Tax Preparers

Taxpayers aren't the only ones be targeted by malicious actors this tax season. As we noted in a recent blog post malicious actors are currently going after tax preparers in order to exploit their accounts to gain access to clients' tax and financial data which can then be used to file fake tax returns and claim those clients' tax refunds.

We've seen two different variations of this particular attack. In the first the bad guys pose as potential clients and request assistance preparing their tax returns. The goal is to draw the tax preparer into an exchange which will allow the bad guys to social engineer the mark into opening a malicious attachment which is delivered in a follow-up email. 



Once the tax preparer opens the malware-laden attachment and effectively compromises his or her own PC, the bad guys then use the compromised PC to hit clients with spoofed emails purportedly from the tax preparer. Clients who fall for the ruse will see their tax refunds claimed by malicious actors using their own illegally purloined tax and financial data.

In the second variation of this attack, the bad guys send the tax preparer a PDF document...


...or link...



... pointing to a malicious web page that social engineers the mark into coughing up the credentials to an email account which, again, can be leveraged to gain access to clients and all the data needed to fraudulently claim tax refunds from the IRS.

3. CEO Fraud & W-2 Forms

One wildly successful phishing scheme used by the bad guys last year has returned: CEO Fraud phishing attacks in which malicious actors spoof the CEO or President of a company in order to request copies of all employees' W-2 forms from CFOs or similarly positioned employees.



This is a targeted attack, and the bad guys have proven to be adept at identifying the particular employees they need to phish within an organization to get access to the desired data.

Just two weeks into the new year we have already seen a sizable number of these particular phishes, again helpfully shared with us by customers using KnowBe4's Phish Alert Button (PAB). That should come as no surprise given that companies and non-profits across the nation are currently preparing W-2 forms for their employees and distributing them.

Last year saw a number of well-known companies fall victim to this type of attack, including Seagate

4. 1040EZ Forms

Finally, in a puzzling variation on the W-2 CEO Fraud phishing attack, we have seen a number of phishes in which, again, the bad guys spoof the CEO or President of a company but instead request targeted employees send them copies the 2016 1040EZ forms of all employees. 



There are several obvious problems with this request, not the least of which is the fact that 1040EZ forms are filed by individual taxpayers, not their employers, and not every taxpayer will even be using the 1040EZ form to file with the IRS.

We strongly suspect the perpretrators of this particular phish are from outside the United States and failed to perform due diligence in researching this attack.

Other Tax Scams

Bad actors have developed a wide-ranging menu of tax-related scams, and the IRS has a number of helpful resources online to warn taxpayers and educate them on how to recognize a tax scam when they encounter it, whether it be in the form of phishing emails, intimidating phone calls, or malicious web pages.

https://www.irs.gov/uac/tax-scams-consumer-alerts

Given that tax-themed phishes now target the tax data held by companies and organizations, it's not enough that your employees are generally "aware" that tax scams are out there and in use. No, they need new school security awareness training to ensure that they are properly prepared for the types of phishing attacks that could land in their inboxes over the next few months.