Targeted Phishing Scams for Tax Dollars – Again

Targeted Phishing Scams for Tax Dollars – Again

As we enter the final weeks before the April 15th tax filing deadline, we are once again seeing an increase in phishing scams aimed at stealing tax refunds.

spear fishing sea

This year, cybercriminals are focusing a lot of effort on HR and financial teams. Sophisticated crime rings are sending targeted phishing emails to key employees who have access to tax related information, W-2 forms in particular, in an attempt to deceive them into disclosing this confidential information.

The IRS and FBI have warned that such attacks have dramatically increased this year. “These email schemes continue to evolve and can fool even the most cautious person. Email messages can look like they come from the IRS or others in the tax community,” said IRS Commissioner John Koskinen. “Taxpayers should avoid opening surprise emails or clicking on web links claiming to be from the IRS. Don’t be fooled by unexpected emails about big refunds, tax bills or requesting personal information. That’s not how the IRS communicates with taxpayers.”

Phishing Scams

The cybercriminals send Phishing emails that look like they come from the CEO or another company executive. These emails request a document containing the W-2 tax information for all employees.  In some cases, the emails request the readers to open a .PDF document, or click on a link to a malicious website. Unfortunately, doing either downloads malware to the victim’s device.

Because the phishing attacks appear to come from a senior officer within the company, a lot of, if not the majority of employees are instantly clicking on a malicious link or opening an infected document. In other cases, they simply reply to the email and send all W-2 data directly to the criminals.

Security awareness

Organizations need to constantly remind their employees about phishing attacks, and to think before clicking or responding.  Unfortunately, everyone needs to be on the lookout for phishing scams today, and ask themselves “Could this action be a scam?” When in doubt, double check the address, and if necessary, consult with your security department before acting.

In addition to user security training, organizations need to have an advanced malware detection system in place. History continually reminds us that despite training, some of these phishing attacks will be successful. Criminals may send targeted emails to dozens of people in the same company.  For large companies, a hundred or more employees may get phished.  If just one person falls for the scam the entire company and their employees could be significantly harmed.

Find out more about how PhishMe Triage and Lastline Analyst work together to improve detection and response visibility to combat phishing attacks.