As tax filing season peaks, a new scam has arrived.
The scam imitates popular online services TypeForm and Microsoft OneDrive with the aim of stealing sensitive personal information.
Email tax scams traditionally spike during the peak of tax season, banking on the fact that many individuals filing taxes are stressed out and may not give proper scrutiny to documents that appear to be from trusted companies.
"Unfortunately, cybercriminals know how stressful tax season is and pull out all the stops by launching email scams that crank the stress volume up to 11," said Abhishek Iyer, who wrote about the scheme for Armorblox, an email security company.
The scam begins with an email that imitates an automated file-sharing communication from Microsoft OneDrive, a widely-used file hosting service.
The email cited by Armorblox is titled "RE: Home Loan" followed by a reference number and the date, "making it seem like the email was part of an ongoing conversation to lend it more legitimacy," according to Armorblox.
The email includes links to a file with the name of the file "2020_TaxReturn&W2.pdf" highlighted in the email content.
Clicking the email link takes you to a page that appears to be hosted by Typeform, a popular online service specializing in surveys and forms. A W2 document is shown in the background and victims are asked to enter their email account information before being granted access to the file.
This email attack got past Google Workspace email security filters and fooled unsuspecting end users, Armorblox said.
"Less sophisticated victims are likely to fall for this scam, at the very least entering their credentials to check if their W2 got into the wrong hands," Armorblox’s Iyer told Fox News in an email.
"We have observed that 'time' and 'emotions' are more powerful variables that determine the success of these scams, rather than how sophisticated or security-aware users are," Iyer added.
According to Armorblox, one of the tactics used by the scammers is to send an email with a link that says "Learn about messages protected by Office 365" that leads to a real Microsoft-hosted page with security information.
"Attackers often include such signifiers in emails to lull victims into a false sense of security," Iyer wrote.
Another tactic is using an automated file-sharing message.
"We get tons of such emails everyday informing us that someone has shared files with us, someone has replied to our message, someone has commented on a document, and so on. When we see emails that seem similar to known email workflows, our brains tend to employ System 1 and take quick action," Iyer wrote, referring to unconscious, automatic thinking.
Another trick used by scammers is exploiting the Typeform brand name to host a phishing page. The use of popular free online services make it easier to succeed with phishing attacks.
Armorblox has also observed attacks exploiting Google Firebase (a Google platform for creating mobile and web applications), Box (a file sharing service), and Google Forms in a similar manner.