Need I tell you that tax season is scam season? You’ve been warned you before that cyber criminals have to two officials holidays, or hunting seasons, Christmas and tax season.
This year is no different and according to the IRS the game is the same but the tactics have changed. February saw the IRS publishing notifications aimed at tax professionals describing a phishing campaign that spoofs the IRS website with near exact replicas. The cyber criminals are trying to steal Electronic Filing Identification Numbers of tax preparers. The IRS issues these numbers to individuals or firms that have been approved as authorized IRS e-file providers. So the scam is all about the crooks pretending to be official tax preparers.
The phishing email scam attempts to entice tax preparers to email documents that would reveal their identities and Electronic Filing Identification Numbers. The cyber criminals can then use this information to file fraudulent returns by impersonating the tax professionals.
According to the IRS, in addition to stealing Electronic Filing Identification cyber criminals may also attempt to steal tax pros’ Preparer Tax Identification Numbers or e-services usernames and passwords.
Tricking the tax pros
The IRS warning includes information showing that fraudsters are impersonating potential clients of tax preparers. This tactic is more effective because more transactions are being conducted online due to the COVID-19 pandemic. The phishing emails likely contained a malicious attachment that, when opened, would download malware, such as information stealers designed to record keystrokes or harvest credentials.
Spoofing the IRS website
Security experts have pointed out that cyber criminals have been steadily improving at spoofing government domains for their phishing campaigns. They have been incorporating logos and language to give phishing messages a legitimate appearance.
Sherrod DeGrippo, senior director of threat research and detection at security firm Proofpoint said, “Threat actors often spoof government sites and logos to socially engineer their targets into providing information.”
“These types of attacks usually go beyond stealing simple authentication credentials, such as usernames and passwords, and attempt to steal personal information, including Social Security numbers and bank account information,” DeGrippo stated. “We also see a variety of malicious domains registered to trick victims into clicking and entering information. For example, ‘taxrefund,’ ‘taxrefund-claimhere’ and ‘claimrefundtax-online’ are just some of the domains registered with various TLD extensions that distribute malicious payloads or act as phishing landing pages.”
COVID-19 used as a scam tool
As if dealing with the pandemic is not enough! Now we have to look out for scammers using it as tool to rob us! The IRS and other federal agencies have detected scammers spoofing their sites as part of fraud campaigns designed to take advantage of federal COVID-19 economic relief programs.
Tonia Dudley, a strategic adviser at security firm Cofense, says these types of spoofing or phishing campaigns often are launched when new websites are created to support new government benefits programs. The purpose of these scams is to steal credentials “to gain access to victims’ financial accounts or money – trying to lure funds away from the target recipient,” Dudley says.
By May of last year Proofpoint was tracking about 300 phishing campaigns that spoofed government domains or incorporated language and logos in phishing emails, many of which began around the time tax season started last year and the COVID-19 pandemic escalated.
Every year we gear up to file taxes. At the same time the cyber criminals are gearing up to rip you off. Be on your game! Protect yourself from cyber fraud.
Now you know.