New and sophisticated tax phishing scams are targeting taxpayers, warns Microsoft. These scams impersonate trusted sources and use urgency tactics to steal personal and financial data.
Taxpayers beware! Phishing scams are on the rise again as tax season heats up. Microsoft Threat Intelligence has issued warnings about new and innovative tactics cybercriminals are using to steal your personal information and financial data.
These scams don’t discriminate, but they do target specific groups more heavily. New taxpayers, recent immigrants with green cards, small business owners who file themselves, and older adults are all prime targets because they might be less familiar with tax procedures.
It is also worth noting that these threat actors are getting more sophisticated too. They’re impersonating trusted sources like employers, tax agencies, and even payment processors. They might send emails with blurry or incomplete tax documents to create a sense of urgency and trick you into clicking on a malicious attachment.
These attachments, as per Microsoft Threat Intelligence’s blog post, contain malware that steals your login credentials, or they might redirect you to a fake website that looks like a legitimate tax platform designed to capture your information.
One example scam identified in January involved emails that appeared to be from employers sending tax documents. Clicking on the attached HTML file led to a fake landing page designed to steal the user’s login credentials.
Tycoon and NakedPages – PhaaS
In addition to their blog post, Microsoft Threat Intelligence has also sent out a series of tweets addressing the increasing prevalence of phishing campaigns during the tax season in the United States.
These campaigns, including those associated with notorious phishing-as-a-service (PhaaS) platforms like Tycoon and NakedPages, are leveraging tax-related themes for social engineering tactics, putting individuals and organizations at risk of financial fraud and data theft.
One notable campaign tied to the Tycoon PhaaS platform involved deceptive emails posing as official tax forms such as W-2 and W-9 notifications, alongside other payroll tax documents.
These emails featured HTML attachments that initiated a Cloudflare captcha check, ultimately leading victims to a phishing page designed to harvest sensitive information. When recipients opened these attachments, JavaScript scripts were executed, facilitating the installation of info-stealing malware.
Additionally, Microsoft observed phishing efforts linked to the AiTM phishing kit NakedPages, where fraudulent emails disguised as DocuSign-shared documents about tax adjustments were circulated. Clicking on embedded images within these emails triggered redirections culminating in phishing pages, demonstrating the sophisticated nature of these attacks.
This malicious software is designed to harvest sensitive data, including cryptocurrency wallet information, login credentials for PuTTY and WinSCP, as well as credentials stored in web browsers and email clients. Such comprehensive data theft poses significant risks to individuals and organizations, potentially resulting in financial losses and compromised digital identities.
Both Tycoon and NakedPages are recognized for their automation capabilities in executing phishing activities, as well as their ability to bypass multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) techniques, strengthening the threat posed by these campaigns.
Protect Yourself from Tax-related Phishing Scams
Microsoft recommends staying alert throughout tax season. Don’t click on suspicious links or attachments in emails, even if they seem to come from a familiar source. If you’re unsure about the legitimacy of an email, contact the sender directly through a verified phone number or website.
You can find more resources and tips for staying safe from tax season scams by searching for the “Microsoft Threat Intelligence tax season report.”