Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

2023 Tax Scam Emails Exposed: Unmasking Deceptive Trends

Tax season is a busy time of year for taxpayers and threat actors. Consumers and businesses focus on filing their taxes and getting excited over possible refunds, while cybercriminals roll out both their tried-and-true tax scams along with implementing new efforts. However, tax time can also be quite stressful with consumers and those charged with handling an organization’s tax filings hyper aware of any notifications from the government that might impact their filing or refund.

Threat actors know and utilize this fear, so to help prepare everyone, Trustwave SpiderLabs will break down some of the most common tax season trends and scams the team has observed during the first quarter of 2023 and provide tips on how to stay safe during this time of year.

HTML Extensions Dominate Tax Season Email Scams

According to our data, since the start of this year, the top two file extensions used in tax season email scams are .htm and .html, accounting for 62% of all attachments. HTML is often used in scam emails because it allows cybercriminals to create realistic looking web pages with diverse content. Using HTML makes it easier for cybercriminals to lure people into opening malicious emails. It is important to be cautious, as HTML attachments can spread harmful software or send users to fake websites where they might be asked to share sensitive information.

19759_image002

Figure 1. Pie chart of attachment extensions used in Tax-themed scams since Jan 01, 2023.

Navigating Tax Season Safely: 5 Common Scams to Watch Out For

As tax season is in full swing, one must remain cautious and aware of potential phishing and scams as they come into your inbox. To assist with this, Trustwave SpiderLabs has compiled a list of the most prevalent tax scams this season. These insights were created based on data collected through Trustwave's spam traps and various monitoring systems.

1. IRS Impersonation Scams

U.S. IRS impersonation scams see fraudsters pose as the tax agency to manipulate victims into divulging sensitive personal and financial information. Fraudsters often use fear of prosecution for breaking the law or the promise of monetary gain to deceive unsuspecting taxpayers.

SpiderLabs recently spotted a phishing email, shown below, impersonating the Internal Revenue Service (IRS) and offering the stunning amount of $16.5 million in approved funds if the target gives the information required. The email requests personal information such as name, address, phone number, occupation, and ID card to be sent back over email. This message preys on the recipient's desire for financial gain by hoping that they will ignore the warning signs, which include the email being very poorly worded, and give away their sensitive data.

19760_image004

Figure 2. Screenshot of the email impersonating the IRS with subject line reading ‘Internal Revenue Service.’

In the example below, we present another instance of a phishing attempt that falsely claims to be from ‘ShareFile’ on behalf of the IRS. The email requests the user to review the attached HTML document.

19761_image006

Figure 3. Email with subject line ‘Internal Revenue: Review Document (redacted@redacted.com)’ impersonates the IRS.

The attachment directs users to a counterfeit ‘ShareFile’ login page, where victims input email credentials and additional sensitive data like mother's maiden name, social security number, and date of birth. This information can be exploited for identity theft, financial fraud, and unauthorized account access, or sold to cybercriminals on the dark web.

19762_image008

Figure 4. Screenshot of the HTML file named ‘TaxProfile(IRS).html’ asking for sensitive information.

Another method is for scammers to impersonate IRS officials.

 

Important IRS Reminder:

 

Remember, the IRS does not use email, phone calls, or text messages to request personal or financial information from taxpayers. Instead, they primarily communicate through regular mail delivered by the United States Postal Service.

Being aware of this can help you avoid falling for scams that impersonate the IRS.

 

 

2. Malware Delivered Through Tax Documents

A recent tax-related email campaign SpiderLabs observed involved an attacker sending an email including a .docx file called ‘W2-2022.docx,’ claiming to have important tax details for the recipient to review. However, what in fact happens is that upon opening this file the user is connected to a harmful website that leads to infostealer malware installation.

Infostealer malware is used by cybercriminals to snatch sensitive data like usernames, passwords, and financial information. It operates by logging keystrokes, capturing screenshots, and tracking a user’s Internet activities, as well as gathering data from email accounts, web browsers, and other applications.

19763_image010

Figure 5. ‘W2-2022’ email subject with ‘W2-2022.docx’ attachment delivers info-stealing malware.

3. Tax Refund Scams

Tax refund scams are successful because many individuals anticipate refunds from the IRS.
A recent Facebook-themed phishing scam surfaced that alleges the recipient is under investigation for tax evasion and the email requests account verification for tax refund processing. Users are prompted to click an email URL using the ‘m.me’ domain, which is owned by Meta (formerly Facebook Inc.) and directs users to Messenger pages or conversations. What in fact happens is the user is led into a trap, where they are asked to give personal information, login credentials, or even financial details.

19764_image012

Figure 6. ‘Message from Facebook’ email uses Tax Refund and Tax Evasion as themes.

Another common tax refund-themed scam involves the Employee Retention Tax Credit (ERTC), a legitimate government tax credit designed to help businesses cover payroll costs and retain employees.

Scammers send spam emails promising businesses up to $26,000 per employee through the ERTC program. The emails ask owners to fill out a form on a suspicious website or call a phone number. Here's an example of such a scam message.

19765_image014

Figure 7. ERTC scam with subject line of ‘Small Business owners are owed $ 26,000 Per Employee.’

When the user clicks on the email link, they will be taken to the website as shown below and then prompted to supply financial information. These scammers may use the information provided to steal sensitive data.

19766_image016

Figure 8. The screenshot of the ertcmoneyforyou[.]com webpage.

4. Phishing via Fake Tax Forms

Scammers are known to stick with a method that still works, so many scams still use fake tax forms to trick people. Form W-8BEN, which is typically used to establish foreign status for tax purposes, is one of the most common forms attackers use.

Threat actors using this scam employ the old school approach of sending a letter by mail or faxing the victim. As shown in the example below, the notification claims the victim is exempt from paying taxes, but still must authenticate their information by filling out the fake W-8BEN form. The victim is urged to fax the completed form back to the fake IRS number which is controlled by the scammer.

19767_image018

Figure 9. Phishing email using fake tax form with subject line ‘MID YEAR-NON-RESIDENT ALIEN TAX EXEMPTION UPDATE.’

19768_image020

Figure 10. The fake W-8BEN tax form that includes a Fake IRS fax number.

5. Social Security Number Scams

This type of scam, where fraudsters impersonate the Social Security Administration (SSA) and claim that the recipient's Social Security Number (SSN) has been terminated due to illegal activity, is designed to exploit fear and confusion. The goal of the scammers is to obtain personal information, such as SSNs, bank account details, or other sensitive data, which can then be used for identity theft or financial fraud.

Commonly, as can be seen in the email below, scammers send a document with a message that urges the victim to call a fake customer support line to resolve the issue. If the victim calls, they may be asked to provide personal information that can be used for identity theft or financial fraud.

19769_image022

Figure 11. Email Screenshot with subject line of ‘SSN terminated due to suspicious activity.’

19770_image024

Figure 12. The attached PDF document claims the recipient's SSN account is terminated and directs them to call a fake support number for assistance.

How to Protect Against Tax Season Scams:

  • Be cautious and verify: Avoid opening unsolicited emails and then double-check the sender's address. Confirm information through official channels like organization websites or direct calls. For instance, if you receive a suspicious email that appears to be from the IRS, visit the official IRS website or call their helpline to verify its legitimacy.
  • Practice safe clicking: Refrain from clicking links or downloading attachments in suspicious emails to prevent exposure to malware or viruses. Before clicking a link, hover your cursor over it to reveal the actual URL. This can help you identify if the link leads to a suspicious or unrelated website, which may be an indicator of a phishing attempt.
  • Recognize and resist urgency: Exercise caution when receiving urgent requests, as scammers often use them to pressure victims into taking impulsive actions without proper consideration. Be skeptical of emails demanding immediate action or threatening consequences.
  • Safeguard personal information: Avoid sharing personal data, such as bank details or Social Security numbers, via email, phone, or other channels unless you're sure the communication is legitimate. Verify the requester's identity before providing information. Regularly monitor credit reports and financial statements for signs of fraud.
  • Use secure tax filing methods: When e-filing taxes, pick a reliable tax preparation service. Check their reputation, read reviews, and ensure they have a history of safeguarding client data. Established services generally have strong security measures to protect sensitive information.
  • Stay educated and updated: Stay informed about the latest phishing and social engineering techniques. Keep your operating system, antivirus, anti-malware and other application software up to date to ensure that your system is protected against the latest threats.
  • Report suspected scams: If you encounter a tax season scam or believe you have been victimized by one, report the incident to appropriate authorities to help prevent others from falling prey to similar schemes.

Don't let tax season cyber threats catch you off guard. Tax-related scams and cyberattacks are a constant danger, with cybercriminals adapting their tactics to target individuals and businesses alike. By staying informed, being cautious, and following online security best practices, you can minimize the risk of falling victim to these scams.

Stay aware and stay safe during tax season!

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More