The April 15th deadline to file taxes in the United States is almost here, which means Tax Day phishing operations are in high gear. Impersonating the IRS is a year-round favorite tactic for cybercriminals. In fact, the IRS was the third most-impersonated brand in Q4 2018. But with the April 15th deadline on the horizon, criminals know that now is the perfect time to exploit anxiety, distraction, and time pressure to snare more victims.
Their goals include filing fraudulent tax returns, hijacking email addresses to commit BEC scams, and selling stolen records on the dark web. Every time they succeed, it adds fuel to the explosion of cybercrime that is predicted to cost organizations $5.2 trillion over the next five years. And for each organization that falls prey to these tax scams, the remediation costs can easily reach or exceed $1 million, not including the damage to brand value and trust.
The IRS warned the public back in November about a wave of phishing emails posing as the Internal Revenue Service to trick recipients into opening “tax account transcript” documents. What happens when someone takes the bait? That click unleashes Emotet malware, described by DHS as “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”
Emotet is a banking Trojan that drops other Trojans, aka malware-as-a-service. Once it is in the system, in addition to dropping its payload, Emotet generates its own customized business email compromise attacks using victims’ email accounts and contact lists. It also launches brute-force attacks to crack and steal weak user passwords on the system.
Emotet is notoriously difficult to stop and expensive to remove. Merely cleaning affected machines won’t protect them from re-infection if there is even one compromised machine still on the network and as a result, remediation can take months. In fact, in late 2017, North Carolina’s Rockingham County School District suffered a network breakdown for more than a week after employees opened Emotet-infected email links. The district had to spend more than $300,000 in emergency funding to have its entire network rebuilt “fresh from the ground up” because the Emotet strain could not be removed.
In 2018, Portsmouth, New Hampshire spent $100,000 to remediate an attack that hijacked city officials’ email accounts, sending out fake invoices to citizens. As of mid-2018, the city of Allentown, Pennsylvania had earmarked more than $1.2 million to deal with its Emotet infection. Allocating those funds required the city to cut spending on street maintenance and solid waste management, and to put a freeze on new hires.
The tax transcript scam targets organizations of all types, and once the Trojan has access to an address book, it can easily trick that organization’s consumers into installing the malware via various types of email scams. Unfortunately, this is not the only type of attack originating from Tax Day.
Tax preparers are also getting hit by the kinds of direct deposit and wire-transfer BEC attacks that have targeted other industries, as described in our London Blue report. In December, the IRS warned about an increase in these attacks, which usually impersonate an executive and ask payroll or HR to reroute direct deposits or transfer funds to an outside account. Even if they’re detected quickly, these scams cost companies at least a payroll deposit, and sometimes much more.
As April 15th draws closer, scammers are using these same tactics to impersonate clients in emails to tax professionals, asking for a “last-minute change” to the destination account or address for their upcoming refund. To combat this, the IRS is urging tax preparers to pick up the phone and verify any such requests with clients before they change anything, to avoid diverting their clients’ refunds into the hands of cybercriminals.
How are crooks able to impersonate tax professionals and their clients? In most cases, they’ve successfully phished for the data to steal credentials. The IRS has documented phishing scams posing as professional associations, tax software providers, state accounting agencies, and the IRS itself. For tax preparers, the email inbox motto should be “open with caution.”
To keep yourself and your organization safe from tax scammers, train your people and upgrade your email security. Remind employees that the IRS does not send unsolicited emails or request sensitive data via email, so any emails claiming to be from the IRS should be reported—not opened.
Employees should never click on links or attachments from a sender claiming to have or need tax information, and no one should follow email links to enter login credentials. Your organization should have processes in place to verify any internal fund-transfer or tax-data sharing requests made via email. And while these steps can help reduce human error, but the best solution is to keep phishing emails from ever reaching your company’s inboxes.
Unfortunately, tax fraud is only one of the ways that cybercriminal organizations make their money. Having a solution in place that can effectively protect employees, detect attacks before they hit the inbox, and remove latent threats is imperative—on Tax Day and throughout the year.
Learn more about how to protect your organization during tax season and beyond with Agari Phishing Defense.