Cyber criminals are trying to exploit this year’s tax season by sending out phishing emails claiming to be from the IRS but which are actually designed to infect victims’ PCs with malware or trick users into handing over personal data including bank details, usernames, passwords and other sensitive information.
Detailed by cybersecurity researchers at Fortinet, the scams aren’t particularly sophisticated but are being sent out in bulk at a time when people are aware of tax deadlines – and even if just a fraction of those receiving the phishing emails get duped, hackers can steal a lot of data.
One of the phishing campaigns is based around an email that purports to be from the U.S. Internal Revenue Service (IRS) and is designed to infect the victim with Emotet malware, a powerful trojan used to steal passwords that also creates a backdoor onto the infected computer.
Claiming to be from ‘IRS Online’, the email with the subject of ‘Incorrect Form Selection’ asks victims to open an attachment called “W-9 form.zip” – also providing the target with a plain text password needed to open the file. The lure is designed to look like Form W-9, which is a Request for Taxpayer Identification Number and Certification from the IRS.
If the user opens the Zip file, they’re asked to enable macros – a common tactic used by cyber criminals to help deliver malware. After macros are enabled, the malicious document then retrieves and downloads the Emotet malware, which the attackers can use to steal usernames and passwords on the compromised Windows machine.
Another tax season-themed phishing scam uses slightly different tactics but has the same goal of tricking people into giving away sensitive information. This phishing email, with the subject line “NEW YEAR-NON-RESIDENT ALIEN TAX EXEMPTION UPDATE”, contains a PDF document titled “W8-ENFORM.PDF”.
While the PDF itself isn’t malicious – in that it doesn’t deliver malware – the scam asks the user to fill out the document and return it. Information it asks for includes name, address, tax number, email address, passport number and mother’s maiden name, as well their bank account information.
All of this sensitive information can be used to compromise the victim’s online accounts, as well as their bank account. The information can also be used to commit fraud in the name of the victim.
Researchers note that the IRS never asks for information from taxpayers via email and instead uses the postal service to send letters. However, social-engineering tactics and the fact that these emails are being sent during tax season means that it’s possible that users might forget this fact, particularly if an email claiming to be from the IRS says they’ve made a mistake, owe money or are due a tax rebate.
The FBI has also issued warnings about tax scams, relating to a rise in complaints around unearned payments and 1099 Forms. The IRS 1099 Form is a collection of tax forms documenting different types of payments made by an individual or a business that usually is not the person’s employer.
The FBI Internet Crime Complaint Center (IC3) says it has received complaints about being asked to provide information about taxable income, which the people receiving the requests have said they didn’t earn. According to the FBI, in this case it seems that their personal identifiable information (PII) has been used to open accounts with e-commerce providers. If they’re sent a 1099 form due to fraud, taxpayers are urged to report it to the IRS and to monitor their credit reports for suspicious activity and to file a police report.
These scams sent during tax season may seem simple, but the reason they’re being sent out is because they’re effective and there are people who are being tricked into believing phishing emails really do come from the IRS.
“Out of thousands of recipients, it only takes a few to respond to make it all worthwhile to an attacker. And when the right person falls prey it can unleash a trove of information to the attacker that can be exploited for various purposes. Although such scams are well known and publicized, they are still pervasive for one simple fact – they work and will continue to work for the foreseeable future,” researchers said in a blog post.
To avoid falling victim to tax-themed phishing scams, it’s important to remember that the IRS never sends email correspondence without prior consent.
Users should also be very wary about enabling macros – when they’re turned off by default, it’s for a good reason. Users can also report suspected phishing scams directly to the IRS.