Threat actors are spoofing apps like Stash and Public to steal credentials around tax season.

With the US tax filing season underway, scammers use any tactic they can think of – from impersonating the Internal Revenue Service (IRS) to aggressive phone calls – to trick taxpayers into giving away personal data.

Avanan, a CheckPoint company, found that hackers are spoofing fintech apps such as Stash and Public to steal credentials and give users a false sense of security that they’ve compiled the proper tax documents.

Stash and Public apps

Stash, a personal finance app, is used by over six million people. It allows users to do both traditional banking and investment. The public focuses on investing in conventional stocks and crypto-assets.

Scammers spoof the apps by claiming that a tax document is ready. The email provides a link to review the document. It is designed to steal credentials.

Spoofing emails

Hackers can take advantage of a wide range of people to steal credentials from. According to the report by fintech startup Plaid, 95% of millennials report using fintech apps, and baby boomers are the fastest-growing segment of fintech users, doubling year over year to 79% of that group using these services.

“Further, these sorts of scams may catch users off guard. They may not be expecting tax documents from these apps, inducing them to click. Since most of these services are mobile-first, users may receive this on their phone and may forget about typical cyber hygiene,” Avanan said.

Best advice – don’t trust anyone

“Bad actors have gotten so good at posing as the IRS or other government entities that it’s even harder to discern if an email is real or a potential phishing scam,” Curricula CEO Nick Santora told Cybernews.

To fill your tax forms, go directly through the IRS or a verified, trusted software, such as TurboTax, for preparing your taxes, and for any email you receive, verify it’s coming from the correct domain.

“Scammers want you to act before you think. They prey on emotions and use subject lines that will compel their targets to open an email and click or respond before questioning the validity of the request. We have seen this a lot over the last few years of hackers posing as the IRS or another government agency,” Santora said.

Be on the lookout for typos, do not press any links or symbols compelling you to “click here” and submit personal information.

“Also, tell your loved ones (especially older relatives who are prime targets), colleagues, and friends to be on the lookout for these scams.”


More from Cybernews:

10GB of Nestle data leaked, say Anonymous

Key industries warned over rising threat actor

The European Commission proposes new cybersecurity regulations as the threat of cyberattacks rises

More woe for Conti at fresh data leak

Russian printers juiced by hacker antiwar messages

Leaked files expose Russia’s problems with the Mars mission

Subscribe to our newsletter