Beware: 5 Tax-Related Email Scams You Need to Know About

Tax Day 2024 is fast approaching, which means attackers attempting to take advantage of the urgency and importance of this deadline have been out in full force.

Below are five real-world examples of email attacks illustrating the various ways threat actors incorporate tax-related themes into their malicious messages. By understanding their tactics, organizations can help employees more easily identify and mitigate these kinds of cyber threats.

In this credential phishing attack, the threat actor chose to go all in and impersonate the IRS itself—even embedding the IRS logo into the body of the email.

The attacker claimed that the target’s tax refund cannot be issued until they verify their information using the included link. The link led to an online form hosted on Formstack, a workplace productivity platform that allows users to build bespoke online forms, akin to Google Forms. To further increase the appearance of legitimacy, the attacker customized the URL to taxstatement[.]formstack[.]com/forms/irs.

Because the attacker sent the email using an iCloud address and utilized a legitimate software platform as their phishing mechanism, it minimized the signals traditional security solutions use to detect malicious emails, such as known-bad domains.

As in the previous example, the threat actor who launched this phishing attack opted to pose as the IRS and send a message related to the target’s tax refund.

However, instead of claiming there was an issue with the recipient’s rebate, the perpetrator of this attack elected to go a more positive route and affirm the target’s eligibility for a refund. Nevertheless, they were sure to manufacture a sense of urgency by informing the target they could only claim this refund within three days of receiving the email.

In both of these attacks, the threat actors set the display name as something simple that incorporated “IRS”. Because many mobile email clients do not show full email headers, if either of the targets of these attacks viewed the message on their mobile device, they would only see the misleading sender display name.

In this attack, the threat actor impersonated an internal system at the target’s company and emailed a file-sharing notification.

The body of the email is designed to look like a message from Microsoft regarding a folder named “Tax Documents” but, in reality, it is just an image that the attacker embedded into the message. Rather than hyperlink the image to a malicious website, the threat actor informed the target they must open the attachment to view the shared folder. Unfortunately, if the recipient does open the attachment, it automatically downloads malware onto their computer.

Similar to the first two examples, the attacker was deliberate about choosing the display name. But this attacker was especially clever and formatted the “From” name to appear to be both the display name and the sender name, further hiding the actual email address they used.

DocuSign is one of the most impersonated brands in credential phishing attacks. Since the use of DocuSign is generally reserved for important and/or confidential documents, cybercriminals know posing as that brand and claiming tax documents are in need of attention will likely convince the target to not think twice about clicking on a link in an email they weren’t necessarily expecting to receive.

The decision of the attacker to send a bogus DocuSign notification does limit their opportunities to tailor the content to a specific theme. That being said, the perpetrator of this attack capitalized on every opportunity they did have.

They set the display name as “Irs by DocuSign” and referenced tax documents in both the subject line and the message content. The threat actor went so far as to include the name of an actual tax professional in the email body—all in an attempt to deceive the target into clicking on the Review Documents button and entering their information into a phishing page.

The sudden and widespread adoption of QR codes in 2020 presented attackers with a novel way to exploit trusted communication tools and deceive end users.

One of the biggest advantages that QR code phishing attacks like this one offer threat actors is that it moves the attack away from the target’s laptop—which is within the purview of the organization and its security controls—to the target’s mobile device, which lacks the same level of protection. Using a QR code instead of a hyperlink also obfuscates the destination URL, making it more difficult for legacy security solutions to determine if the link is safe or malicious.

In the same vein as the previous DocuSign impersonation, the perpetrator of this attack personalized the email as much as possible. They included a fake email header within the message that contained the target’s company name and also incorporated the company into the name of the fraudulent file that is purportedly awaiting review. The attacker even made sure to maximize the sense of urgency by adding a note that this email is the “final reminder.”

As Tax Day approaches, the threat of tax return scam emails looms large. The examples discussed in this blog post serve as a stark reminder of how cybercriminals will exploit the stress and urgency associated with tax-related matters. By impersonating trusted entities like the IRS and leveraging well-known brands like DocuSign, attackers aim to deceive unsuspecting victims and gain access to sensitive information.

Collaboration between IT teams and employees is crucial in combating email attacks. Encouraging employees to report suspicious emails promptly and regularly reinforcing email security best practices helps keep everyone informed and reduces risk to the organization. Still, the most effective way to prevent employees from engaging with malicious messages is to ensure they’re never delivered in the first place by implementing an AI-native email security solution that detects and proactively blocks threats like these.

For more insight into recent attack trends, including the rising threat of QR code phishing attacks, download the H1 Email Threat Report.