Select Page

Cyren Security Blog

The Cyren Security Blog is where Cyren engineers and thought leaders provide insights, research and analysis on a range of current cybersecurity topics.

Beware the Ides of April: Tax Fraud Season in Full Gear

It’s tax season, and in the 21st century that means that not only are government revenue agents awaiting your company’s and your employees’ data and looking to settle accounts, but that cybercriminals are hard at work with a variety of cyber scams aimed at diverting tax refunds and stealing sensitive personal information.

This season’s scams run the gamut, from traditional taxpayer phishing scams to more sophisticated fraud involving data stolen from accountants and tax preparers.

Tax Preparers Are a Key Leverage Point

Tax accountants and preparers are an obvious point of potential leverage for tax fraudsters. The IRS recently released a specific warning urging tax professionals to increase their level of cyber security and watch for emails carrying malware aimed at stealing client data.

The scam works by first breaching the computer files belonging to tax accountants. The criminals steal the tax preparer’s client data, and then file a fake return with the IRS, using the taxpayer’s real bank account information to have the return deposited. The criminals then contact the victim and pretend to be the IRS or a debt collection agency, informing the victim that the deposit was made in error and they must redirect the deposit back to the IRS—in reality a different bank account owned by the criminal.

Shown at right: A fake — and professionally done — banking site used in a tax refund phishing campaign.

Phishing for Tax Tool Credentials

Phishing remains one of the most common tax fraud techniques, so learning how to identify phishing links can be helpful. In another recent scam reported by the IRS, this phishing scam attempts to steal passwords and data by tricking tax professionals into “signing” a new (but fake) e-Services user agreement—a legitimate online tool for tax professionals from the IRS. One example—in a fake email claiming to be from “e-Services Registration,” and using the subject line of “Important Update about Your e-Services Account,” the phishing email informs the tax preparer that “We are rolling out a new user agreement and all registered users must accept its revised terms to have access to e-Services and its products.” The scam then uses a link to redirect the victim to a fake site to review and accept the agreement. While on the site, the victim is asked to provide user names and passwords.

Human Resources Staff are Prized Targets

In another increasingly common email scam, human resources staff are often targeted with emails impersonating the CEO and requesting copies of all the employee W-2 forms. Once the criminals have copies of the forms, they’ll either use the data to file fraudulent tax returns or sell the data on the Dark Web.

Example of a phishing email sent to the head of HR, impersonating the company’s CEO.

But Taxpayers Still the Main Target

However, taxpayers still remain the number one target of cybercriminals during tax season. Many of these types of scams arrive in the victims email with an attached document containing instructions and links to phishing websites. Cyren identified two recent such scams, you can read about them here and here. Once the victim clicks the URL, he or she is often redirected to a website that goes to great lengths to appear legitimate, such as the one below, a tax refund-stealing site in Malaysia.

Fraudulent phishing web site to steal tax refunds in Malaysia

The victim then clicks his financial institution’s logo and gets redirected to another fake banking site, where he or she is asked to provide sensitive information, including their user name, password, and bank account number.

In a slightly different scheme, criminals attempt to trick the recipient into opening a PDF by suggesting that the victim’s tax refund information is now available for viewing. Once the email is opened, the victim is encouraged to click a link which redirects to a phishing site seeking the victim’s personal credentials.

Report suspicious activity

If you or someone you know receives an email claiming to be from a government tax authority, Cyren urges you to immediately report the activity to the appropriate government agency. In the United States, you can report the crime to both federal and local authorities. More information on reporting resources can be found here on the IRS’ tax scams page.

Doveryai, no proveryai — and get your defenses in order

With individuals and companies around the globe becoming targets (and victims) of tax refund scams, it is critical to implement strong email gateway security which can prevent phishing emails from reaching users in the first place. Strong time-of-click and web gateway security also block access to phishing links as a separate layer of protection.

Naturally, all businesses should remind their employees that most major government tax authorities, including the U.S. Internal Revenue Service (IRS), will never:

  • Email, text message, or call them to verify their identity by asking for personal and financial information.
  • Email, text message, or call them to demand immediate payment.
  • Request credit or debit card numbers via email, text message, or over the phone or require them to use a specific payment method to pay taxes, such as a prepaid debit card.

If you suspect fraud, type the address of your financial institution directly into your web browser. Remember the Russian proverb, “Doveryai, no proveryai” — trust, but verify.

You might also like

Phishing with QR codes

Don’t Scan or be Scammed By Maharlito Aquino, Kervin Alintanahin and Dexter To In 1994, a type of the matrix barcode known as the Quick Response code, now widely known as QR code, was invented by Masahiro Hara from a Japanese company Denso Wave. The purpose of the...