US Tax Season Spurs Scammers into Action Again

There are certain times of year that whip threat actors and scammers into action like clockwork. With the winter holiday season and the week ahead of Black Friday behind us, it's time for the next big payday for scammers - US tax season. As the late-April deadline for submitting tax forms approaches, hackers and fraudsters are ramping up their activity as well.

IRS-impersonating scams spread Emotet

A team of researchers with security firm Fortinet examined the latest ongoing scams and malware-spreading campaigns that are out to get taxpayers. One ongoing campaign impersonates the US Internal Revenue Service and spreads the Emotet password-stealing trojan. Emotet has a further range of malicious capabilities that stretch beyond just stealing passwords from the victim's machine.

As usual, the scammers are relying on simple but effective social engineering tricks. The phishing email's subject is "Incorrect Form Selection" - an obvious attempt to scare the potential victim and get them to act urgently to fix their supposed mistake.

The payload is delivered through a macro-enabled file, as is the case with a lot of malware spread using email. The victim is first asked to download the malware-laden file which pretends to be a legitimate Request for Taxpayer Identification Number and Certification form used by the IRS. The scripts inside the malicious file's macros hit up a remote address and download and deploy Emotet on the victim's machine.

Another campaign was also observed, where the email's subject was the more unusual "New Year Non-Resident Alien Tax Exemption Update". This campaign attached a non-malicious form-fillable PDF file that the scammers expect the victim to fill in and then send back, replying to the original phishing email. Even though the document itself is not malicious, if the unfortunate victim fills in their information and sends it back, they will be sending the scammers their name, bank account information, address, and tax number, as well as their passport ID number.

Such a convenient and rich trove of personal information can be used by the scammers for a number of malicious activities, from impersonation to fraud committed under the assumed identity of the unfortunate victim.

Staying safe from scams

As with all scams and phishing campaigns, those types of emails are sent in huge volumes and while many think they are safe, the crooks running the campaigns don't need to hit everyone. Of the millions of emails sent out, even a fraction of a percent equals thousands of potential victims.

Double-checking the email address of the sender and never allowing macros to run if you downloaded a document from the Internet are great first steps to being much safer when you go online.

Phishing emails also often contain small inaccuracies or spelling and grammar mistakes made by the crooks who are often non-native speakers. This could be another tell-tale sign that something is wrong and something to always look out for.