Skip to main content

Phishing threats return ahead of tax season in the US

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock )
Audio player loading…

As the Internal Revenue Service (IRS) has delayed the deadline (opens in new tab) for its annual Tax Day, US citizens have been given a bit more time to get their taxes in order. However, this delay has also given cybercriminals additional time to prepare their tax-themed phishing lures (opens in new tab).

At the end of March, the IRS issued a security alert (opens in new tab) in which it warned of an ongoing email-based impersonation campaign targeting education institutions as well college students and staff with “.edu” email addresses. In addition to educational institutions, the cybersecurity firm Proofpoint (opens in new tab) has also observed similar threats targeting dozens of verticals from manufacturing to healthcare to energy.

While cybercriminals take advantage of tax season each year to launch tax scams (opens in new tab) to steal money and sensitive information, this year is particularly unique due to the fact that threat actors are combining their typical tax lures with healthcare and other pandemic-related lures.

So far in 2021, Proofpoint has observed over 30 tax-themed malicious email campaigns and more than 800,000 email messages, according to a new blog post (opens in new tab) from the company. These emails include attempts to compromise users' personal email accounts and steal their personal data. Proofpoint also observed multiple campaigns aligned with business email compromise (opens in new tab) activities that can be used to facilitate payroll fraud which can cost organizations millions.

Tax-themed phishing threats

The over 30 discrete campaigns observed by Proofpoint have targeted thousands of people from multiple threat actors that used malicious email lures associated with taxes, tax and refund support and government revenue entities. At least four different threat actor groups tracked by the firm have launched tax-themed malicious email campaigns in 2021.

Credential theft phishing attempts accounted for 40 percent of the campaigns and these can be used to target individuals or for email account takeovers. Remote Access Trojans (RAT (opens in new tab)) were used in 17 percent of the campaigns and while fewer campaigns featured RATs, they were far more popular in total message volume. 

Half of the tax-themed campaigns and related messages contained malware (opens in new tab) that is used to distribute the Remcos RAT which has extensive data theft and surveillance capabilities. Other tax-themed malware distribution campaigns observed by Proofpoint included Dridex (opens in new tab), TrickBot (opens in new tab) and ZLoader (opens in new tab).

Last year, cybercriminals increasingly used Excel 4.0 (XL4) macros to distribute malware and this trend has continued in 2021. Proofpoint observed a 500 percent increase in tax-themed email threat campaigns delivering weaponized XL4 Macros (opens in new tab) in just the first three months of this year.

To prevent falling victim to tax-themed phishing campaigns this tax season, Proofpoint recommends that users learn to spot malicious emails and report them. At the same time though, it is imperative that US citizens remember that the IRS will never contact you over email, text messages or social media and will instead send you a letter by mail.

Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.