Security experts are seeing a rise this tax season of phishing schemes and malware tied to hot button subjects like tax refunds, stimulus payments and COVID-19 vaccines.
The Internal Revenue Service recently warned about an ongoing IRS-impersonation scam that mainly targets educational institutions, including students and staff who have “.edu” email addresses. The emails show the IRS logo and use subject lines such as “Tax Refund Payment” or “Recalculation of your tax refund payment.” It then asks people to click a link and submit a form to claim their refund where they are asked for personal information such as their Social Security number. The Treasury Department’s Financial Crimes Enforcement Network has also warned this tax season about phishing emails tied to Economic Impact Payments and COVID-19 (see story).
Tax season scams have become routine over the years, but the cybercriminals have become more sophisticated and often try to make their emails seem to come from the IRS itself, or in some cases from legitimate accounting and tax preparation firms. While many of them originate in the U.S., there are also scams coming from organized crime groups abroad using malware that can take over a victim’s computer.
“We see a lot of lures with IRS branding,” said Sherrod DeGrippo, senior director of threat research and detection for Proofpoint, an email security company. “We’re seeing the branding of the IRS used, as well as general mentions of the IRS.”
The emails often spotlight topical issues that are likely to get the attention of would-be victims, according to DeGrippo. She spotted an email last month, shortly after the passage of the Biden administration’s relief package, that said, “According to American Rescue Plan Act of 2021, if you’re a United States citizen or have legal status, you can get your choice of a stimulus check, you can skip the lines for vaccination, you can increase minimum wage federal warranties, or you can get free meals.”
“We saw subjects like American Rescue Plan Act, IRS Rescue Plan Act, President’s Rescue Plan Form, and when you open this up, it takes you to a piece of banking malware called Dridex,” said DeGrippo. “What Dridex does is it essentially is able to access your banking information, and it acts as a sort of bot in the background of your computer and can steal money directly out of your banking account, or steal your banking credential when you try to log in. This was tied to the American Rescue Plan Act of 2021, so they’re essentially leveraging that news to try to get people to click on this, which will then infect them with a banking Trojan.”
Dridex has been around for many years, but cybercriminals are attaching it to up-to-date messages. “It’s a very dangerous banking malware, but they are matching up that social engineering to coincide with the IRS tax-filing date, etc., to deliver the same malware that they’ve always used,” said DeGrippo. “Whatever is happening at the moment, they typically can align with.”
The cybersecurity company McAfee is also warning about the perennial tax season scams. This year, it’s seeing scams related to Economic Impact Payments, as well as other common tactics such as email phishing.
“Tax season is one of the most important times to practice digital wellness,” said McAfee executive vice president Terry Hicks. “As we embrace the convenience of living our lives online, it makes sense to take a few steps to protect ourselves. It’s better to prevent a problem than to be in the position of fixing one. Just like eating well and exercising can help keep us out of the doctor’s office, digital wellness practices can keep hackers at bay.”
Last year, the IRS identified $2.3 billion in tax fraud schemes, and McAfee predicts that number could grow this year, especially as more consumers file their taxes online. The company is warning taxpayers to beware of emails or phone calls from anyone claiming to be from the IRS, as the IRS only uses “snail mail” to contact taxpayers about problems.
Another security company, Cybereason, has been seeing a rise in other forms of malware this year with names like Netwire and Remcos, described in a recent blog post. The malware gives cybercriminals remote access to a victim’s computer, and the cybercriminals are leveraging tax season and topical subjects to lure victims. The malicious can evade traditional antivirus software, using cloud services such as “imgur” to store the Netwire and Remcos malware, hidden inside image files that are hosted on public cloud services, making them difficult to detect. “As a part of the infection process, a legitimate OpenVPN client is downloaded and executed then sideloads a malicious DLL that drops NetWire/Remcos,” warned Cybereason.
“Attackers use stories in the news to influence targets to click links in phishing attacks,” said
Lamar Bailey, senior director of security research at the cybersecurity company Tripwire. “2020 was the year of COVID and attackers took full advantage by crafting phishing attacks based around the epidemic. They were able to play off the ever changing story to promote cures, treatments, and case numbers to get targets to click malicious links. The trend continues into 2021 by using COVID vaccines as the top story to promote the malicious links. This time of year in the US using phishing emails that appear to originate from the IRS is a very effective way to spread malware.”
The Treasury Inspector General of Tax Administration recently urged taxpayers and tax professionals to beware of the scams. TIGTA’s Office of Investigations warned that criminals are engaging in various scams and schemes in attempts to intercept Economic Impact Payments. Criminals may also try to steal sensitive taxpayer information as the pandemic enters its second year. “In these troubled times, crooks and scammers will try to defraud taxpayers in every way possible,” TIGTA Inspector General J. Russell George said in a statement during National Consumer Protection Week last month. “Taxpayers need to be especially vigilant when contacted by individuals claiming to be from the IRS.”
The National Cyber Security Alliance partnered with the IRS to create a tip sheet offering some best practices for data safety while filing taxes, such as preparing devices, safely sharing personally identifiable information, phishing red flags, safely working with tax preparers and more.
Another form of malware that’s been used by the cybercriminals in the IRS fake emails is called Zloader. “Once you get Zloader on your machine, it can then communicate in the background to download next-stage payloads and steal all kinds of information or put other malicious software onto your machine,” said DeGrippo. Her team at Proofpoint saw various kinds of subject lines for that phishing email.
One of them said, “Greetings. Have your accountants received any updates from the Internal Revenue Service? Their new corporate policies affect several of the agreements in our establishment. You must check the new taxation rules. They can be found in the attached file.” The attached file is a malicious Word document. “When you open it, it will communicate in the background and download that Zloader malware,” said DeGrippo.
In addition to malware, her team often sees domains registered to try to trick people into thinking that they are accounting firms, tax preparation firms or the IRS itself. “It will be YourFavoriteAccountant.com or something like that, and you’ll click on it and it will take you to either credential phish or malware,” said DeGrippo.
Phishing emails from sites purporting to be the IRS and with the IRS logo might say something like, “The IRS is going to put your money directly in your bank account. Put your bank details here.”
“I’ve got about 1,000 malicious domains that leverage the concept of tax, tax banking, tax refund and tax refund relief in the past two weeks,” said DeGrippo when interviewed in March.
She also finds phishing schemes purporting to come from HMRC, Her Majesty’s Revenue and Customs in the U.K. One phishing email exhorts recipients to claim their refund from HMRC by inputting their credit card details and profile. Another phishing email was aimed at Canadian taxpayers and claimed to come from Deloitte Canada. “It says tax billing and pretends to be from Deloitte Canada, and it has some signature information that pretends to be Deloitte, but this is 100 percent fake,” said DeGrippo. “This is a malicious XLS document so this is all leveraging Deloitte around tax time and is not legitimate at all. We see the IRS used all the time and tax schemes used all the time for all different kinds of malware.”
Proofpoint acts as an email gateway for its customers so it’s able to check their email communications as it passes through their servers, allowing the company to examine emails that can be potentially malicious before they reach customers. “Every domain, every attachment, every URL we inspect those ourselves to see if they’re good or bad, and if it’s bad, of course we don’t let that email go through,” said DeGrippo. “But we do collect all the bad information to look through and see what’s bad about it and what it’s doing. We create threat intelligence out of that. This year we are tracking about 15 separate campaigns that are using IRS logos.”
One email the company detected sai, “Efile provider services. Transmit your 2020 file tax successfully according to the attached. Thank you, Charles, agency executive commissioner of the Internal Revenue Service,” perhaps claiming to come from IRS Commissioner Charles Rettig himself. It sends the Remcos malware as an attached executable file. “It’s a command and control server so it can control your computer after infecting it with that,” said DeGrippo.
Both consumers and professionals could find themselves the target of such emails. “We see a lot of targeting of corporate accountants, controllers, anybody in those financial positions at a corporate level,” said DeGrippo. “Obviously the consumer is there, but a lot of the specific targets are going to be around those executives that are in financial controls, accounting, governance, risk and compliance, anybody who actually has to do 10-K filings. Any of those kinds of people are targets. If you’re an SEC 10-K filer, you’re a big target.”