Trustwave Blog

Be Prepared: Tax Scam Season is in Full Swing | Trustwave

Written by | Feb 16, 2022

It's somehow fitting that Groundhog Day and tax scam season overlap. 

Much like the 1993 Bill Murray film where he repeatedly experienced the same day, tax season scammers come out of their hole every year at the same time and tend to use the same attack methods against organizations and regular taxpayers. 

These scammers stick to these tried-and-true methods because they still work. Luckily, the fact that the same methods are used means cybersecurity teams should be well-versed in spotting an attack.

Whether its phishing scams aimed at payroll or human resources personnel with the goal of obtaining W-2 tax form data or phony Internal Revenue Service telephone calls to taxpayers trying to grab personally identifiable information, tax scam cybercriminals are now a month into their busy season.

Unfortunately for American citizens, tax scams are far more common in the U.S. than in other countries because of the requirement in the U.S. for taxpayers to file tax returns every year. Unfortunately, this situation is not the same in other nations, so threat actors focus their tax scam efforts on the U.S.

To help counter this annual attack trend, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a series of tips to help organizations and citizens avoid being victimized.

W-2 Tax Form Scams

W-2 tax forms contain a treasure trove of information that threat actors greatly value, such as employees' names, addresses, Social Security numbers, and wages, the IRS stated in a warning issued last year. Typically, criminals use the W-2 information to send in fraudulent tax returns diverting any money owed to the worker to the criminal's bank account. However, that is only one use. The attacker can use the personally identifiable information found on the tax form to conduct a wide variety of attacks or gain access to additional data.

Attackers often obtain the W-2 data directly from businesses and organizations. The threat actors accomplish this by using social engineering, which usually entails sending an email from an executive at the targeted company to a person with access to that businesses' W-2 forms. The adversary asks for access to the W-2 information. Since the emails contain the name of a high-ranking person at the company, the human resources or payroll person who receives the email often complies with the request.

The IRS also noted that attackers are now targeting tax preparers with a new email scam. In this case, the attacker impersonates the IRS and attempts to steal Electronic Filing Identification Numbers (EFINs). These thieves then use this information to steal client data and tax preparers' identities, allowing them to file fraudulent tax returns for refunds.

The IRS first spotted this attack variant in early 2021. It uses a phishing email purportedly from the IRS and carries the subject line "Verifying your EFIN before e-filing."

In this case, attackers ask tax preparers to email documents that would disclose their identities and EFINs to the thieves. The attackers then use this information to file fraudulent returns by impersonating the tax professional.

Tax professionals also should be aware of other common phishing scams that seek EFINs, Preparer Tax Identification Numbers (PTINs), or e-Services usernames and passwords.

Some thieves also pose as potential clients. This scam is especially effective because so many remote transactions are taking place due to the pandemic. For example, the thief may repeatedly interact with a tax professional and send an email with an attachment that claims to be their tax information.

Phishing is the Primary Attack Vector 

The primary attack vector is phishing for businesses and taxpayers. CISA's alert noted that scam artists pose as legitimate entities—such as the Internal Revenue Service (IRS), other government agencies, and financial institutions—to defraud taxpayers. The attackers employ sophisticated phishing campaigns to lure users to malicious sites or entice them to activate malware in infected email attachments.

Threat actors use three common elements when conducting a phishing attack.

A Lure: Enticing email content.

Using the name of the Internal Revenue Service or other financial or tax preparation service in the email to make the recipient believe they are in trouble with the government. 

  • A Hook: An email-based exploit.

The email usually has embedded malicious content. These can come in the form of links leading to malicious websites or attachments. In both cases, the link or attachment name displays as a recognized, legitimate website, but the actual URL redirects the user to malicious content.

  • A Catch: A transaction conducted by an actor following a successful attempt.

The victim can spot if they have been hoodwinked by the appearance of unexplainable charges to their bank accounts or payment cards after interacting with the email.

Detecting the Scam

The best way to avoid being victimized is to understand that the IRS 

does not initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial information, CISA said. 

The IRS noted that it conducts all correspondence through the U.S. Postal Service, so if a business is contacted by any other means that communication should be treated as suspicious.

DATA SHEET

Trustwave MailMarshal Secure Email Gateway

Trustwave MailMarshal helps you catch threats that others miss, simplify implementation and management, and prevent data loss. Fortify email security “out of the box” whether you host in the cloud, on-premises, or a hybrid deployment.