Bad actors have already started sending out emails pretending to be tax resources and hacking legitimate, often small-business-owned websites in their efforts to get a hold of sensitive tax information, according to research published Wednesday by Sherrod DeGrippo, senior director of threat research at enterprise security company Proofpoint.
"If you have the word 'tax' in your domain name, you're a target this year," DeGrippo wrote. "And while the tax-themed email attacks hit businesses in all sectors, we also saw financial firms and construction industries targeted disproportionately. The construction industry targeting, in particular, is a reminder that no one sector is immune."
Bad actors will often use popular news trends in scam emails to get victims' attention so they give up information or download malware-containing files onto their devices. Sometimes scammers even track the online behavior of their targets to study their interests before they send an email or text in an attempt to increase the chance of gaining user trust.
Some of the scam emails discovered by Proofpoint are disguised as legitimate messages from tax resources trying to convince users to click on a bad link or download a file related to their taxes. These files, however, can contain malicious material, or macros, that can penetrate a victim's device and give bad actors the chance to access sensitive information on that device, according to DeGrippo.
This is a popular scamming practice used by bad actors to target vulnerable users called "phishing."
One of the emails shown in DeGrippo's research reads, "Hello, Its Mr. Michaelson we had a conversation a couple days ago and in continue I'm sending you the document that you've asked for ! This is my last year tax return file, in which might be any mistakes, that led to a debt to the IRS."
The poor grammar is one indicator that the email is a scam targetted at some kind of small tax-related business. Another indicator is the sender's unfamiliar address. Additionally, the email contains a file titled, "Tax_File_2042.zip." Once downloaded, that file installs a popular macro application that computers sometimes do not recognize as malware.
The file also contained "the logo of one of the largest tax preparation agencies in the United States (redacted)," DeGrippo said. "These attackers have good attention to detail. ... The document also matches what’s described in the email."
Other tax-related file names identified by Proofpoint included:
- calculation of corporate tax for december 2019_v2.xls
On top of the phishing emails, Proofpoint also discovered a number of legitimate tax-related websites that were compromised by bad actors due to security vulnerabilities and flawed webpage designs. Once attackers have control of a website, they install code that will attempt to download malware on to the devices of potential clients or customers who visit those sites, DeGrippo said.
Small businesses can avoid these scams by being extra wary of tax-themed emails from known senders or email addresses that look somewhat familiar but are not exact. Companies with websites and apps should be making regular updates to avoid being hacked. Additionally, users should hover cursors over links before clicking on them to know where the link directs users.
Those who identify phishing attempts should report them to the IRS.