Skip to main content

Phishing threats return ahead of tax season in the US

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock )

As the Internal Revenue Service (IRS) has delayed the deadline for its annual Tax Day, US citizens have been given a bit more time to get their taxes in order. However, this delay has also given cybercriminals additional time to prepare their tax-themed phishing lures.

At the end of March, the IRS issued a security alert in which it warned of an ongoing email-based impersonation campaign targeting education institutions as well college students and staff with “.edu” email addresses. In addition to educational institutions, the cybersecurity firm Proofpoint has also observed similar threats targeting dozens of verticals from manufacturing to healthcare to energy.

While cybercriminals take advantage of tax season each year to launch tax scams to steal money and sensitive information, this year is particularly unique due to the fact that threat actors are combining their typical tax lures with healthcare and other pandemic-related lures.

So far in 2021, Proofpoint has observed over 30 tax-themed malicious email campaigns and more than 800,000 email messages, according to a new blog post from the company. These emails include attempts to compromise users' personal email accounts and steal their personal data. Proofpoint also observed multiple campaigns aligned with business email compromise activities that can be used to facilitate payroll fraud which can cost organizations millions.

Tax-themed phishing threats

The over 30 discrete campaigns observed by Proofpoint have targeted thousands of people from multiple threat actors that used malicious email lures associated with taxes, tax and refund support and government revenue entities. At least four different threat actor groups tracked by the firm have launched tax-themed malicious email campaigns in 2021.

Credential theft phishing attempts accounted for 40 percent of the campaigns and these can be used to target individuals or for email account takeovers. Remote Access Trojans (RAT) were used in 17 percent of the campaigns and while fewer campaigns featured RATs, they were far more popular in total message volume. 

Half of the tax-themed campaigns and related messages contained malware that is used to distribute the Remcos RAT which has extensive data theft and surveillance capabilities. Other tax-themed malware distribution campaigns observed by Proofpoint included Dridex, TrickBot and ZLoader.

Last year, cybercriminals increasingly used Excel 4.0 (XL4) macros to distribute malware and this trend has continued in 2021. Proofpoint observed a 500 percent increase in tax-themed email threat campaigns delivering weaponized XL4 Macros in just the first three months of this year.

To prevent falling victim to tax-themed phishing campaigns this tax season, Proofpoint recommends that users learn to spot malicious emails and report them. At the same time though, it is imperative that US citizens remember that the IRS will never contact you over email, text messages or social media and will instead send you a letter by mail.