Global tax deadlines typically fall between April and July, making this period particularly vulnerable to cyberattacks exploiting tax reporting themes. Over the past several months, we have observed a significant increase in such attacks. These cyber threats vary widely in nature and can pose multiple risks, including credential harvesting, data theft, and malware infections. Attackers often use phishing emails, malicious websites, and fraudulent tax-related documents to deceive individuals and organizations, aiming to steal sensitive information or compromise systems.
One German example stated the recipient had outstanding documents that needed to be resolved within seven days. While the message originated from the United States, the from address (which can easily be spoofed) indicated an Argentinian sender while the URL pointed to a staging[.]unitedsmarttech[.]com, a domain unrelated to German tax authorities.
If clicked, the destination reveals a cloned version of the German Federal Central Tax Office soliciting credentials to post back to the threat actor.
Tax related attacks also commonly lead to malware infection. Remote access trojans, such as Remcos in the example below, are the preferred malware avenue for threat actors targeting attorneys and accountants. This example claimed to be tax documents uploaded to a secure work drive. We often see these threat actors engage in pre-texting to add a sense of legitimacy to the message. In this case, inquiring if preparation fees remained consistent with the previous year. The link within purported to be the sender’s W2 (wage statement) but it pointed to a GitHub page.
If the user clicked the link, they would first encounter Cloudflare’s human check. If successfully completed, a zip file download commences which contains an executable to initiate the Remcos infection chain.
Most tax authorities will not require action through links or attachments in unsolicited emails. To stay safe from email-based threats related to tax filing scams, consider the following precautions:
- Verify the Source: Always double-check the sender's email address. Scammers often use addresses that look similar to official ones but may have slight misspellings or unusual domains.
- Avoid Clicking on Links: Do not click on links or download attachments from unsolicited emails. Instead, visit the official website of the tax authority directly by typing the URL into your browser.
- Look for Red Flags: Be wary of emails that create a sense of urgency or pressure you to act quickly. Scammers often use threats of penalties or promises of large refunds to manipulate you.
- Use Security Software: Ensure your computer has up-to-date antivirus and anti-malware software. This can help detect and block malicious emails and attachments.
- Report Suspicious Emails: If you receive a suspicious email, report it to the relevant tax authority. For example, the IRS in the United States has a dedicated email address for reporting phishing attempts.
