Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Be Prepared: Tax Scam Season is in Full Swing

It's somehow fitting that Groundhog Day and tax scam season overlap. 

Much like the 1993 Bill Murray film where he repeatedly experienced the same day, tax season scammers come out of their hole every year at the same time and tend to use the same attack methods against organizations and regular taxpayers. 

These scammers stick to these tried-and-true methods because they still work. Luckily, the fact that the same methods are used means cybersecurity teams should be well-versed in spotting an attack.

Whether its phishing scams aimed at payroll or human resources personnel with the goal of obtaining W-2 tax form data or phony Internal Revenue Service telephone calls to taxpayers trying to grab personally identifiable information, tax scam cybercriminals are now a month into their busy season.

Unfortunately for American citizens, tax scams are far more common in the U.S. than in other countries because of the requirement in the U.S. for taxpayers to file tax returns every year. Unfortunately, this situation is not the same in other nations, so threat actors focus their tax scam efforts on the U.S.

To help counter this annual attack trend, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a series of tips to help organizations and citizens avoid being victimized.

W-2 Tax Form Scams

W-2 tax forms contain a treasure trove of information that threat actors greatly value, such as employees' names, addresses, Social Security numbers, and wages, the IRS stated in a warning issued last year. Typically, criminals use the W-2 information to send in fraudulent tax returns diverting any money owed to the worker to the criminal's bank account. However, that is only one use. The attacker can use the personally identifiable information found on the tax form to conduct a wide variety of attacks or gain access to additional data.

Attackers often obtain the W-2 data directly from businesses and organizations. The threat actors accomplish this by using social engineering, which usually entails sending an email from an executive at the targeted company to a person with access to that businesses' W-2 forms. The adversary asks for access to the W-2 information. Since the emails contain the name of a high-ranking person at the company, the human resources or payroll person who receives the email often complies with the request.

The IRS also noted that attackers are now targeting tax preparers with a new email scam. In this case, the attacker impersonates the IRS and attempts to steal Electronic Filing Identification Numbers (EFINs). These thieves then use this information to steal client data and tax preparers' identities, allowing them to file fraudulent tax returns for refunds.

The IRS first spotted this attack variant in early 2021. It uses a phishing email purportedly from the IRS and carries the subject line "Verifying your EFIN before e-filing."

In this case, attackers ask tax preparers to email documents that would disclose their identities and EFINs to the thieves. The attackers then use this information to file fraudulent returns by impersonating the tax professional.

Tax professionals also should be aware of other common phishing scams that seek EFINs, Preparer Tax Identification Numbers (PTINs), or e-Services usernames and passwords.

Some thieves also pose as potential clients. This scam is especially effective because so many remote transactions are taking place due to the pandemic. For example, the thief may repeatedly interact with a tax professional and send an email with an attachment that claims to be their tax information.

Phishing is the Primary Attack Vector 

The primary attack vector is phishing for businesses and taxpayers. CISA's alert noted that scam artists pose as legitimate entities—such as the Internal Revenue Service (IRS), other government agencies, and financial institutions—to defraud taxpayers. The attackers employ sophisticated phishing campaigns to lure users to malicious sites or entice them to activate malware in infected email attachments.

Threat actors use three common elements when conducting a phishing attack.

A Lure: Enticing email content.

Using the name of the Internal Revenue Service or other financial or tax preparation service in the email to make the recipient believe they are in trouble with the government. 

  • A Hook: An email-based exploit.

The email usually has embedded malicious content. These can come in the form of links leading to malicious websites or attachments. In both cases, the link or attachment name displays as a recognized, legitimate website, but the actual URL redirects the user to malicious content.

  • A Catch: A transaction conducted by an actor following a successful attempt.

The victim can spot if they have been hoodwinked by the appearance of unexplainable charges to their bank accounts or payment cards after interacting with the email.

Detecting the Scam

The best way to avoid being victimized is to understand that the IRS 

does not initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial information, CISA said. 

The IRS noted that it conducts all correspondence through the U.S. Postal Service, so if a business is contacted by any other means that communication should be treated as suspicious.


Trustwave MailMarshal Secure Email Gateway

Trustwave MailMarshal helps you catch threats that others miss, simplify implementation and management, and prevent data loss. Fortify email security “out of the box” whether you host in the cloud, on-premises, or a hybrid deployment.


Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More