Email Security Blog

Beware of Phishing Attacks as Tax Day Looms Closer

Raymond Lim April 11, 2019 Email Security

The April 15th deadline to file taxes in the United States is almost here, which means Tax Day phishing operations are in high gear. Impersonating the IRS is a year-round favorite tactic for cybercriminals. In fact, the IRS was the third most-impersonated brand in Q4 2018. But with the April 15th deadline on the horizon, criminals know that now is the perfect time to exploit anxiety, distraction, and time pressure to snare more victims.

Their goals include filing fraudulent tax returns, hijacking email addresses to commit BEC scams, and selling stolen records on the dark web. Every time they succeed, it adds fuel to the explosion of cybercrime that is predicted to cost organizations $5.2 trillion over the next five years. And for each organization that falls prey to these tax scams, the remediation costs can easily reach or exceed $1 million, not including the damage to brand value and trust.

Tax Transcripts Cause Malware Nightmares

The IRS warned the public back in November about a wave of phishing emails posing as the Internal Revenue Service to trick recipients into opening “tax account transcript” documents. What happens when someone takes the bait? That click unleashes Emotet malware, described by DHS as “among the most costly and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.”

Emotet is a banking Trojan that drops other Trojans, aka malware-as-a-service. Once it is in the system, in addition to dropping its payload, Emotet generates its own customized business email compromise attacks using victims’ email accounts and contact lists. It also launches brute-force attacks to crack and steal weak user passwords on the system.

Emotet is notoriously difficult to stop and expensive to remove. Merely cleaning affected machines won’t protect them from re-infection if there is even one compromised machine still on the network and as a result, remediation can take months. In fact, in late 2017, North Carolina’s Rockingham County School District suffered a network breakdown for more than a week after employees opened Emotet-infected email links. The district had to spend more than $300,000 in emergency funding to have its entire network rebuilt “fresh from the ground up” because the Emotet strain could not be removed.

In 2018, Portsmouth, New Hampshire spent $100,000 to remediate an attack that hijacked city officials’ email accounts, sending out fake invoices to citizens. As of mid-2018, the city of Allentown, Pennsylvania had earmarked more than $1.2 million to deal with its Emotet infection. Allocating those funds required the city to cut spending on street maintenance and solid waste management, and to put a freeze on new hires.

The tax transcript scam targets organizations of all types, and once the Trojan has access to an address book, it can easily trick that organization’s consumers into installing the malware via various types of email scams. Unfortunately, this is not the only type of attack originating from Tax Day.

Tax Professionals Under Email Attack

Tax preparers are also getting hit by the kinds of direct deposit and wire-transfer BEC attacks that have targeted other industries, as described in our London Blue report. In December, the IRS warned about an increase in these attacks, which usually impersonate an executive and ask payroll or HR to reroute direct deposits or transfer funds to an outside account. Even if they’re detected quickly, these scams cost companies at least a payroll deposit, and sometimes much more.

As April 15th draws closer, scammers are using these same tactics to impersonate clients in emails to tax professionals, asking for a “last-minute change” to the destination account or address for their upcoming refund. To combat this, the IRS is urging tax preparers to pick up the phone and verify any such requests with clients before they change anything, to avoid diverting their clients’ refunds into the hands of cybercriminals.

How are crooks able to impersonate tax professionals and their clients? In most cases, they’ve successfully phished for the data to steal credentials. The IRS has documented phishing scams posing as professional associations, tax software providers, state accounting agencies, and the IRS itself. For tax preparers, the email inbox motto should be “open with caution.”

Tax Scam Takeaways

To keep yourself and your organization safe from tax scammers, train your people and upgrade your email security. Remind employees that the IRS does not send unsolicited emails or request sensitive data via email, so any emails claiming to be from the IRS should be reported—not opened.

Employees should never click on links or attachments from a sender claiming to have or need tax information, and no one should follow email links to enter login credentials. Your organization should have processes in place to verify any internal fund-transfer or tax-data sharing requests made via email. And while these steps can help reduce human error, but the best solution is to keep phishing emails from ever reaching your company’s inboxes.

Unfortunately, tax fraud is only one of the ways that cybercriminal organizations make their money. Having a solution in place that can effectively protect employees, detect attacks before they hit the inbox, and remove latent threats is imperative—on Tax Day and throughout the year.

Learn more about how to protect your organization during tax season and beyond with Agari Advanced Threat Protection.

Leave a Reply

Your email will not be published. All fields are required.

Agari Blog Image

August 27, 2019 Taylor La

Expanding Email Security One Post at a Time — Experiences of a Digital Marketing Intern

Agari is more than an email security company that detects cyberattacks. It is a community…

Agari Blog Image

August 20, 2019 Armen Najarian

Brand Impersonation and Look-alike Domains: How Cybercriminals are Hurting Tech Brands

Here’s some earned media you don’t want for your brand—headlines announcing that your customers are…

Agari Blog Image

August 15, 2019 Paul Lorence

Building a Career at Agari: One Designer’s Experience

Being a user experience (UX) designer and managing design teams is a rewarding job. I…

Agari Blog Image

August 1, 2019 John Wilson

Email @ttack: Why Identity Deception is Your #1 Threat

Want to know how email became the number one attack vector for cybercriminals? Look no…

Agari Blog Image

July 31, 2019 Armen Najarian

2020 Presidential Candidates Remain Vulnerable to Email Fraud Despite Increased Warnings

Only three months ago, the Agari team published our first in-depth analysis on how the…

mobile image