Malicious entities use online tax scams to defraud victims
Tax season incites anxiety in everyone, given how stressful a time of year it is. Plenty of numbers to get right (or wrong). Naturally, because of this chaotic time of year, malicious parties and malware gangs are happy to take advantage of any confusion, victimizing those who are misinformed on both tax preparation and payment. That’s the last thing anyone wants, especially when incorrect data can lead to penalty payments, so staying safe is important.
Method of attack
Unsurprisingly, spoof and scam messages are rooted once again in phishing emails, the go-to for cybercriminals everywhere. It’s a common and unfortunately effective method, but, because of how common phishing attacks are, specific signs always exist to catch them.
Right now, attackers are deploying sophisticated impersonation campaigns. In other words, they’re trying to appear as the IRS (or a similar entity) to defraud readers. Typically, tricksters will create emails and messages containing deceptive traits, like official government imagery or legitimate appearing sender addresses. At first glance, that’s sometimes enough to deceive a reader. In conjunction, attackers also like to pick busy holidays (Easter) to further cause confusion.
Email content and messaging will vary, but commonly discuss missed tax payments, late payments, incorrect filings, wrong data, or content involving money. The idea is to create alarm in the reader so they’re likelier to make a rash decision.
Anatomy of scam tax emails vary, though they follow a similar pattern. Normally it’s “contacting” the recipient about an overdue payment, with the included late amount, payment method, and what penalties will occur if the included balance is not paid. In this phishing email, malicious links and/or attachments are included.
What these links or attachments do varies based on the attacker.
Consequences of attack
In the event of a successful “breach” or scam, attackers typically want information. Personal data, passwords, and email logins are common goals, which can then be used in different attack campaigns and breaches. In other cases, hackers work to steal login information from system admins (or those with similar network privileges) for a business network, likely to deploy ransomware and malware.
In the case of individuals, though, they could find other accounts compromised if they accidentally gave away key password credentials. Unfortunately, that’s because passwords for many users remain the same on multiple accounts, regardless of their importance. Therefore, one mistake leads to others, the primary reason why avoiding tax-related phishing scams is so important.
With tax season here and all its stresses, it’s easy to be on high alert. No one wants to miss filing and deal with needless penalties. However, it is those stressors malicious parties target.
Keep an eye out for key traits of tax-related phishing emails:
- Incorrect syntax, grammar/spelling errors in content
- Alerting individual to “missed” payment or account errors leading to unverified financial penalties
- Suspicious links and/or attachments in an email
- Requests to contact unknown sender
Ultimately, if you’re uncertain about tax documentation or you think you’ve made an error, check with official sources first. Whether that’s a tax filing service or the IRS website/resources, follow a “zero trust” policy. In other words, only trust until verified.