Benjamin Franklin once said that the only certain things in life are death and taxes. While individuals, businesses, and tax preparers get ready for tax season at the beginning of each year, another certainty exists: Cybercriminals will attempt to victimize these entities with tax-related scams.
Tax season is a ripe time for phishing and spreading malware; without fail, tax-related online scams remain a most popular type of phishing scam each and every year. Through our threat intelligence network, we have identified four types of tax scams that individuals and businesses should be wary of as they’re preparing to file their taxes in 2016.
“Your account or tax return is locked or restricted”
The first type of phishing scam arrives in the form of an email claiming to be from the Internal Revenue Service (IRS). The email states that the recipient’s tax return is restricted. We have also observed phishing emails impersonating TurboTax, a popular tax preparation software, claiming that the recipient’s TurboTax account is locked. In both cases, the goal is to convince them to click on a link, and submit their personal information to unlock their tax return or TurboTax account.
Figure 1. Fake IRS and TurboTax emails claiming the recipient’s tax refund is restricted or their account has been locked
“Update your tax filing information”
The second type of phishing email claims that the recipient needs to update their “tax filing information” or their tax return.
Figure 2. Fake IRS-branded emails asking the recipient to update their tax filing information
Most phishing emails contain a link to a fake site, where personally identifiable information can be captured and submitted to the cybercriminals. In some cases, the link is replaced by an HTML attachment. We have seen this tactic used before to evade anti-phishing filters included in most modern browsers.
“Tax payment was deducted from your account”
Owing the IRS money is often a scary prospect, so it comes as no surprise that cybercriminals are also sending out emails claiming that a tax payment was deducted from the recipient’s bank account.
Figure 3. Fake email claims tax payment was deducted and includes a “receipt”
Attached to the email is a “receipt” that acts as a reference for the deduction. It contains a malicious file that Symantec and Norton products detect as W32.Golroted.
“You are eligible to receive a refund”
On the flip side of being told they owe money to the IRS, being told that the IRS owes the recipient money and that they are eligible for a tax refund is an even greater prospect. While we do see these types of emails, we uncovered an interesting variation on this scam in 2016.
Figure 4. Fake email from the IRS seeking proof of identity documents
We see plenty of tax-related scams asking users to click on links or open up HTML attachments or malicious files on their computers; however, this particular scam asks the recipient to provide proof of identity. The requested proof of identity documents include a copy of a valid (signed) full passport as well as a scanned copy of a utility bill, bank statement, or credit card statement. Recipients are asked to send these documents to an @consultant.com email address.
Five tips to stay safe during tax season
When preparing to file your taxes this year and every year hereafter, here are some tips to keep in mind when receiving unsolicited communications.
- Be aware that the IRS does not initiate taxpayer communications through email—ever
- One of the biggest indications that an email is fake is when it addresses you as “sir”, “madam”, or “taxpayer”
- Do not click on any links or open any attachments claiming to be from the IRS, “Income Tax Department”, or your tax preparation company
- Report any emails claiming to be from the IRS by forwarding the emails to firstname.lastname@example.org
- Never respond to unsolicited emails requesting scanned copies of personal documents
Try to stay safe online this tax season, and remember that the deadline to file is on Monday, April 18.
Symantec customers using our email security .cloud service are protected from all of the tax scam emails identified in this blog.
Symantec protects against this threat with the following signature: