Beware of Tax Season Phishing Scams

Cybercriminals have stepped up their efforts to scam U.S. taxpayers into divulging their sensitive information and installing malware. Many elaborate tax season phishing scams have been detected in 2019.

Phishing scams are common during tax season. Tax-themed phishing emails are sent which contain a hyperlink that directs the recipient to a website where they are asked to enter information such as their name, address, DOB, and Social Security number. The aim is to obtain sensitive information that can be used to commit identity theft and submit fraudulent tax returns.

The email often spoof the IRS and claim to offer tax refunds or contain a threat of legal action if immediate action is not taken to resolve an issue. Many of these tax season phishing scams are simple, but they are effective.

A number of sophisticated and highly convincing scams have been detected this year which show threat actors have done their research and have committed a significant amount of time developing their campaigns.

In a recent blog post, Proofpoint has drawn attention to several sophisticated tax season phishing scams that the firm has intercepted in 2019. One phishing scam directs users to a website with a fake IRS login page. The login page has been copied from the official IRS website and even includes warning about an upcoming outage. Another directs taxpayers to a page where that mimics the page where users submit their 2018 tax return. The page requests a range of highly sensitive information.

One of the most elaborate scams, identified in January, was sent to several accounting firms. The emails claim to be from a professor who said he had made contact with the firm a month previously and had been requested to send several documents. The email contains an attachment detailing his tax deductions, proof of identification, and various forms that would typically be requested by tax professionals, including a W-2 form, Form 1099R, and Form 1098. The sender address was spoofed, and the message was well written and personalized. Such a well-crafted email would likely see at least one of the attachments opened. The documents appeared genuine, even when opened.

However, the Word documents attached to the email included macros which, if allowed to run, would download the Remcos RAT – a remote administration tool that would give the attacker access to the user’s computer and, potentially, the tax information of the accountant’s clients.

The distribution of RATs to tax professionals is common. Proofpoint notes there was an increase in the distribution of RATs such as Remcos, NetWire, and Orcus in 2018 and that trend has continued this year.

Proofpoint identified similar tax-related phishing scams targeting individuals and businesses in many countries, including the United Kingdom, Canada, Ireland, and France.

The take home message is all individuals should exercise extra caution during tax season and should bear in mind that some tax season phishing scams are very sophisticated and are virtually indistinguishable from genuine tax-related communications.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of