Researchers on Wednesday reported on phishing emails tied to current events, especially the Russia-Ukraine conflict and the upcoming tax season deadline next month.

In a blog post, FortiGuard researchers detailed two recent tax season scams and pleas to send money to help Ukrainian refugees.

The first tax scam was a malicious email pretending to originate from the IRS that contains a maliciously crafted Microsoft Excel file to deliver Emotet malware. The second was a phishing scam that asks a recipient to send personally identifiable information (PII) via written correspondence to a fax number. The fund raising emails for the refugees typically try to get the victims to do a wire transfer or Venmo money.

Threat actors continue to target victims through exploitative and manipulative messaging, whether it's related to tax season, humanitarian aid in Ukraine, or the need for health supplies during the COVID-19 pandemic, said Chris Olson, co-founder and CEO of The Media Trust.

“Businesses and consumers should recognize that phishing threats don't just propagate by email: they are also delivered through web and mobile apps with the help of targeted content features,” Olson said. “As companies like Microsoft crack down on malicious Excel documents and PDFs, we expect that attackers will continue to concentrate their efforts on digital surfaces where they can refine their target parameters for the most vulnerable audience.”

Erich Kron, security awareness advocate at KnowBe4, added that few things concern U.S. citizens as much as running afoul of the IRS. The power of the IRS coupled with the complexity of tax codes and filing requirements are enough to stress out most Americans, Kron said, which makes it a prime candidate for use in phishing and social engineering scams.

“These scams are often used to steal personal information, infect computers with malware, or even to attempt to extort a fake payment from victims,” Kron said. “Because this time of year taxes are already in the front of our minds, cybercriminals will use the strong emotions related to getting an email from the IRS, as a way to make people forget to hover over links or to check reply-to addresses in emails. This tactic can become even more effective the closer we get to the tax filing deadline. Organizations benefit from educating employees about these types of scams, especially in the modern workforce where people often connect their computers to corporate networks through VPNs, possibly putting the employer at risk if the attackers have installed malware on the employees device."

Rick Holland, chief information security officer and vice president of strategy at Digital Shadows, said scammers try to use the sense of urgency around tax season to encourage people to act quickly on emotion, rather than to think carefully about what’s being requested and by whom. Often, Holland said scammers will send a copy of a real IRS form along with a note indicating they’ll lose money – either through fines or other means – if they don’t respond.

“The scammer will request personal info – typically in the form of a signed tax return or similar document – which the victim sends, thinking they’re speaking to a legitimate IRS representative,” Holland said. “Most of the technique is reliant on social engineering rather than technical exploits.”

Some common scams the Digital Shadows team sees during tax season include:

  • Ghost preparers: Pose as tax preparers and use illegal means to increase a refund.
  • Gift card scams: Pose as IRS and demand payment of supposedly owed taxes in gift cards.
  • Refund recalculation scams: Pose as IRS and asks victims to give away personal information to claim a larger refund.
  • Stimulus payment scams: Poses as IRS and asks victims to pay a small fee and give away personal information for fake stimulus payment.
  • Attack on organizations: Posing as auditors or executives to request tax documents from human resources and payroll professionals.