Threat Management, Threat Management, Email security, Security Strategy, Plan, Budget, Threat Management

Scammers exploit chaos of tax season to take advantage of consumers, deploy trojans

The Internal Revenue Service headquarters building appeared to be mostly empty April 27, 2020, in the Federal Triangle section of Washington. (Photo by Chip Somodevilla/Getty Images)

It’s often said that the only two things in life that are sure are death and taxes. With that in mind, cybercriminals have been upping their game in scamming U.S. taxpayers these past few months.

Given the on-again, off-again nature of COVID concerns and new tax laws coming into play, fraudsters have been relying on a heightened amount of chaos and confusion to help fuel their ongoing schemes. Case in point: Earlier this month, analysts at the Cofense Phishing Defense Center (PDC) posted a blog describing a new malicious remote access trojan (RAT) in the wild that has been spoofing the IRS to get unsuspecting taxpayers to allow them to enter their systems remotely.

This nefarious new malware does not steal user credentials off the bat, but instead coaxes individuals to download the powerful trojan into their networks.

And that is only one convincing scam among many.

Rob Rendell, vice president of payment solutions at Feedzai, a risk operation developer, pointed out that tax scams are definitely nothing new.

“Every year around this time we see an increase in scammers trying to steal business and consumer information because people are under a deadline to send valuable personal information,” he said. 

One favored stand-by for cyber-scammers is the W-2 phishing scam, Rendell noted. It’s a form of business email compromise (BEC) in which fraudsters “pretend to be a company insider — either someone in human resources, or even the CEO — and request W-2 tax forms belonging to other employees. Once the forms are delivered, fraudsters have access to a wide range of personal information, including names, addresses, Social Security numbers, income and more.

“Once they have that information, they can more easily pull off an account takeover,” Rendell added, “which according to our most recent report, is the No. 1 type of fraud committed this year.”

Joseph Gallop, intelligence analysis manager for Cofense, said his analysts are seeing both credential-phishing campaigns and malware-delivery campaigns “taking advantage of the chaos of tax season. In most of these cases, they aren’t actually trying to defraud taxpayers or the government.”

“Rather, they are using tax-related themes as a lure,” Gallop continued, “to get curious or worried recipients to install malware or provide them with system credentials.”

And, as often is the case with such scams, many exploits are simply new and improved versions of campaigns that worked in previous tax seasons. Gallop said the common theme of sharing spoofed tax forms, particularly the common W-9, has cropped up a lot.

With this scam most recently discovered by Cofense, bad actors have claimed that they are conducting an IRS audit, based on a new U.S. law, and a fraudulent (but realistic-looking) email coaxes individuals or business owners to complete “Form 4721” — which is not a real IRS form at all.

Although some targets may recognize that the fraudulent sender email address is not one that the IRS would typically use, there is a Form 4720, which relates to excise taxes on charities; the numbers are close enough that this trick can confound even a savvy user. This approach might simply be a “typo, or it might also be part of [cybercriminals'] game…playing on the recipient’s curiosity, or their concern upon receiving a last-minute form they didn’t even know existed,” Gallop added

Hence, Cofense warned companies to be “extra vigilant this tax season as threat actors have continued to change their tactics” so that they can make it into user inboxes, Gallop added.

Oftentimes, cybercriminals will even single out people in the finance industry, especially when they are the keepers of cryptocurrency or accounts, said James McQuiggan, security awareness advocate for KnowBe4, a cyber-awareness training company.

Cybercriminals like to use fake forms with the IRS logo to “scare people, and then scam or socially engineer them out of their money,” McQuiggan added. “People who lack awareness of the current scams or the ability to spot a scam are a perfect target.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.