Everything You Need to Know About Tax Day Scams 2020

  • By Maddie Rosenthal
  • 07 April 2020

While the world’s workforce has been adjusting to remote-working over the last several weeks and has, at the same time, become aware of opportunistic phishing attacks around COVID-19, attackers have been plotting their next attack: Tax Day Scams.

These phishing attacks can take many different forms and target both US and UK residents. In the US, these attacks will use the deadline to file your income tax returns as bait. In the UK, these attacks will use your potential tax refund as bait. 

But we’re here to help. 

Here’s what you need to look out for and what to do in case you’re targeted by Tax Day scams. 

“Note: Tax Day in the US has been moved from April 15 to July 15 because of the COVID-19 pandemic. Especially in light of the delay and confusion around the deadline, we anticipate scams will continue. ”

 What do Tax Day scams look like?

As is the case with other phishing and spear phishing attacks, hackers will be impersonating trusted brands and authorities and will be – in some way – motivating you to act. Let’s take a closer look at how they do both through a series of examples.

Example 1: IRS Impersonation 

What’s wrong with this email?

  • The IRS has said they never contact taxpayers by email, so any correspondence “from” them is illegitimate.
  • There is an extra “r” in “internal” in the sender’s email address
  • Email addresses from government agencies will contain the toplevel domain “.gov”.
  • There are spelling errors and inconsistencies in the text that you wouldn’t expect from a government agency.

Example 2: Tax-Preparation Software Impersonation

What’s wrong with this email?

  • While the sender’s email address does contain Fast Tax, the company name, the toplevel domain name (.as) is unusual.
  • The sender is motivating the target to follow the embedded link by claiming their tax return is incomplete.
  • Upon hovering over the link, you’ll see the URL is suspicious. Please note, though: A suspicious URL can still take you to a landing page that appears legitimate.

Example 3: HMRC Impersonation

What’s wrong with this email?

  • While the Display Name, email template, logos, and language used in the email seem consistent with HMRC, the sender’s email address contains the toplevel domain “.net” instead of “.gov.uk”
  • Upon hovering over the link, you’ll see the URL is suspicious. 

Example 4: Client Impersonation

What’s wrong with this email?

  • Unfortunately, in this case, there are no obvious giveaways that this is a phishing scam. However, if Joe, the tax accountant in this scenario, knew he hadn’t met or interacted with a woman named Karen Belmont, that could be a warning sign.
  • Individuals and organizations should always be wary of attachments and should have anti-malware and/or virus protection in place.

Example 5: CEO Impersonation

What’s wrong with this email?

  • The root domain (supplier-xyz) in the sender’s email address is inconsistent with the toplevel domain (.com) in the recipient’s email address.
  • The attacker is  impersonating the CEO in hopes that the target will be less likely to question the request. 
  • The attacker is using urgency both in the subject line and the email copy to motivate the target to act quickly.
  • Because this is a zero-payload attack (an attack that doesn’t rely on a link or attachment to carry malware), anti-malware or anti-virus software wouldn’t detect the scam.

Who will be targeted by Tax Day scams? 

From the examples above, you can see that cybercriminals will target a range of people with their Tax Day scams. Taxpayers, tax professionals, and businesses are all susceptible and savvy hackers will use different tactics for each. 

Here’s what you should look out for.

Taxpayers

  1. Attackers will be impersonating trusted government agencies like HMRC and IRS and third-parties like tax professionals and tax software vendors.
  2. Attackers will use coercive language and the threat of missed deadlines or promises of refunds to motivate their targets to act.
  3. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment. 

For more information on payloads, read this comprehensive guide to phishing scams.

Tax Professionals

  1. Attackers will be impersonating either existing clients/customers or prospects. In either case, they’ll be pretending to need help with their tax return or tax refund.
  2. Attackers will use the lure of new business or the threat of losing a customer to motivate their targets to act.
  3. Many phishing emails contain a payload; this could be in the form of a malicious link or attachment. 

Businesses

  1. Attackers will be impersonating CEOs, HR representatives, Finance Directors, or other individuals or agencies who need access to sensitive tax information.
  2. Attackers are strategic in their impersonations of people in positions of power; people are less likely to question their superiors. 

What do I do if I’m targeted by a phishing attack?

While it’s true that attackers use different tactics and capitalize on different moments in time to trick their targets, individuals and businesses should always follow the same guidelines if they think they’ve received a phishing email.

“The IRS does not initiate contact with taxpayers by email, text message, or other online channels to request personal or financial information.”
  1. If anything seems unusual, do not follow or click links or download attachments. 
  2. The best way to avoid falling victim to one of these scams is to simply not provide any personal information until you verify with 100% certainty that you’re communicating with a genuine agency, organization, or agent. Visit the organization’s website via Google or your preferred search engine, find a support number, and ask them to confirm the request for information is valid.
  3. If the email appears to come from an individual you know and trust, like a colleague, customer, or client, reach out to the individual directly by phone, text or a separate email thread.
  4. If you’re an employee who’s been targeted, contact your line manager and/or IT team. Management should, in turn, warn the larger organization.

More resources

As a security start-up, we’re committed to helping you stay safe. If you’re looking for more information on Tax Day scams, consult the following government websites.

  1. Advice from the IRS
  2. Advice from HMRC
“It only takes one mistake, one time for your most sensitive data to fall into the wrong hands. If you’re an IT or Security professional looking for a solution that’s more effective than awareness training and SEGs at preventing advanced phishing threats, consider Tessian Defender. ”

How to protect your organization from phishing attacks year-round

As we’ve mentioned, Tax Day scams are just one of the ways bad actors will try to get hold of sensitive information or infect devices with malware. The best way to avoid falling for these scams year-round is to educate your employees and stay vigilant. 

If you’re an organization, it only takes one mistake, one time for your most sensitive data to fall into the wrong hands. If you’re an IT or Security professional looking for a solution that’s more effective than awareness training and SEGs at preventing advanced phishing threats, consider Tessian Defender

Book a demo now to find out how Tessian uses contextual machine learning to detect and prevent advanced spear phishing attacks without impeding on employee’s productivity. 

Maddie Rosenthal