Tessian’s mission is to secure the human layer by empowering people to do their best work, without security getting in their way.

It’s that time of year again…Tax Day. But, making a payment to the IRS isn’t the only thing you need to be worried about. ‘Tis the season for tax day scams.

These phishing attacks can take many different forms. In the US, these attacks will use the deadline (May 17, 2021 – extended from April 15, 2021) to file your income tax returns as bait. In the UK, these attacks will use your potential tax refund as bait. 

But we’re here to help. 

Here’s what you need to look out for and what to do in case you’re targeted by Tax Day scams. 

 What do Tax Day scams look like?

As is the case with other phishing and spear phishing attacks, bad actors will be impersonating trusted brands and authorities and will be – in some way – motivating you to act.

Want to learn more about impersonation or get a better idea of what the average phishing attack looks like? Check out these articles:

• What is Phishing? Phishing 101
• What is Spear Phishing?
• The Difference Between Phishing and Spear Phishing 
• What is Email Impersonation?

Please note: In this article, we’re exploring Tax Day scams on email. You may also receive phone calls or text messages from bad actors, claiming that you’re being investigated for tax fraud or have an overdue bill. They may also simply request more information from you, like your name and address, or bank account details.

You shouldn’t give any of this information away over the phone. Government organizations will never call you or use recorded messages to demand payment.

Now, let’s take a closer look at how they do both through a series of examples.

Example 1: IRS Impersonation 

What’s wrong with this email?

• The IRS has said they never contact taxpayers by email, so any correspondence “from” them is illegitimate
• There is an extra “r” in “internal” in the sender’s email address
• Email addresses from government agencies will always contain the toplevel domain “.gov”
• There are spelling errors and inconsistencies in the text that you wouldn’t expect from a government agency

Example 2: Tax-Preparation Software Impersonation

What’s wrong with this email?

• While the sender’s email address does contain the company name (Fast Tax), the toplevel domain name (.as) is unusual
• The sender is motivating the target to follow the embedded link by claiming their tax return is incomplete
• Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate. These are called malicious websites. Want to learn how to spot a malicious website? Check out this article.

Example 3: HMRC Impersonation

What’s wrong with this email?

• While the Display Name, email template, logos, and language used in the email seem consistent with HMRC, the sender’s email address contains the toplevel domain “.net” instead of “.gov.uk”
• Upon hovering over the link, you’ll see the URL is suspicious

Example 4: Client Impersonation

What’s wrong with this email?

• Unfortunately, in this case, there are no obvious giveaways that this is a phishing scam. However, if Joe, the tax accountant in this scenario, knew he hadn’t met or interacted with a woman named Karen Belmont, that could be a warning sign
• Individuals and organizations should always be wary of attachments and should have anti-malware and/or virus protection in place
• This examples demonstrates the importance of having policies in place to verify clients beyond email. And remember, there’s nothing wrong with being extra cautious this time of year.

Example 5: CEO Impersonation

What’s wrong with this email?

• The the sender’s email address (@supplier-xyz.com) is inconsistent with the recipient’s email address (@supplierxyz.com)
• The attacker is impersonating the CEO, hoping that the target will be less likely to question the request; this is a common social engineering tactic 
• The attacker is using urgency both in the subject line and the email copy to motivate the target to act quickly
• Because this is a zero-payload attack (an attack that doesn’t rely on a link or attachment to carry malware), anti-malware or anti-virus software wouldn’t detect the scam

You can learn more about CEO impersonation (also called CEO fraud) in this article: What is CEO Fraud?

Who will be targeted by Tax Day scams? 

From the examples above, you can see that cybercriminals will target a range of people with their Tax Day scams. Taxpayers, tax professionals, and businesses are all susceptible and savvy hackers will use different tactics for each. 

Here’s what you should look out for.

Taxpayers

1. Attackers will be impersonating trusted government agencies like the IRS and HMRC and third-parties like tax professionals and tax software vendors
2. Attackers will use coercive language and the threat of missed deadlines or promises of refunds to motivate their targets to act
3. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment

For more information on payloads, read this article: What is a Malicious Payload and How is it Delivered? 

Tax Professionals

1. Attackers will be impersonating either existing clients/customers or prospects. In either case, they’ll be pretending they need help with their tax return or tax refund
2. Attackers will use the lure of new business or the threat of losing a customer to motivate their targets to act
3. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment. 

Businesses

1. Attackers will be impersonating CEOs, HR representatives, Finance Directors, or other individuals or agencies who need access to sensitive tax information
2. Attackers are strategic in their impersonations of people in positions of power; people are less likely to question their superiors. 

What do I do if I’m targeted by a Tax Day scam?

While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals and businesses should always follow the same guidelines if they think they’ve received a phishing email.

1. First and foremost, always, always, always check the sender. Confirm that the domain is legitimate and that the Display Name matches the email address. Be wary of any emails that aren’t from a “.gov” address.
2. If anything seems unusual, do not follow or click links or download attachments 
3. Check for spelling errors or formatting issues. Be scrupulous! If anything feels off, proceed cautiously. (See below.
4. If the email appears to come from an individual you know and trust, like a colleague, customer, or client, reach out to the individual directly by phone, text or a separate email thread
5. If you’re an employee who’s been targeted, contact your line manager and/or IT team. Management should, in turn, warn the larger organization
6. The best way to avoid falling victim to one of these scams is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid.

More resources

As a security start-up, we’re committed to helping you stay safe. If you’re looking for more information on Tax Day scams, consult the following government websites.

1. Advice from the IRS
2. Advice from HMRC

Looking for more advice about scams? Sign-up to our newsletter below to get articles just like this, straight to your inbox.