chat
expand_more

Beware: 5 Tax-Related Email Scams You Need to Know About

The impending arrival of Tax Day always brings a surge in email attacks aimed at exploiting the stress and anxiety associated with April 15.
April 2, 2024

Tax Day 2024 is fast approaching, which means attackers attempting to take advantage of the urgency and importance of this deadline have been out in full force.

Below are five real-world examples of email attacks illustrating the various ways threat actors incorporate tax-related themes into their malicious messages. By understanding their tactics, organizations can help employees more easily identify and mitigate these kinds of cyber threats.

5 Tax Return Scam Emails

Tax Themed Email Scams IRS Logo

Example of tax-themed email attack in which threat actor impersonated the IRS

In this credential phishing attack, the threat actor chose to go all in and impersonate the IRS itself—even embedding the IRS logo into the body of the email.

The attacker claimed that the target’s tax refund cannot be issued until they verify their information using the included link. The link led to an online form hosted on Formstack, a workplace productivity platform that allows users to build bespoke online forms, akin to Google Forms. To further increase the appearance of legitimacy, the attacker customized the URL to taxstatement[.]formstack[.]com/forms/irs.

Because the attacker sent the email using an iCloud address and utilized a legitimate software platform as their phishing mechanism, it minimized the signals traditional security solutions use to detect malicious emails, such as known-bad domains.

Tax Themed Email Scams Claim Your Refund

Example of tax return scam email in which attacker posed as the IRS

As in the previous example, the threat actor who launched this phishing attack opted to pose as the IRS and send a message related to the target’s tax refund.

However, instead of claiming there was an issue with the recipient’s rebate, the perpetrator of this attack elected to go a more positive route and affirm the target’s eligibility for a refund. Nevertheless, they were sure to manufacture a sense of urgency by informing the target they could only claim this refund within three days of receiving the email.

In both of these attacks, the threat actors set the display name as something simple that incorporated “IRS”. Because many mobile email clients do not show full email headers, if either of the targets of these attacks viewed the message on their mobile device, they would only see the misleading sender display name.

Tax Themed Email Scams Sharepoint

Example of tax-related email scam featuring impersonation of internal system at targeted company

In this attack, the threat actor impersonated an internal system at the target’s company and emailed a file-sharing notification.

The body of the email is designed to look like a message from Microsoft regarding a folder named “Tax Documents” but, in reality, it is just an image that the attacker embedded into the message. Rather than hyperlink the image to a malicious website, the threat actor informed the target they must open the attachment to view the shared folder. Unfortunately, if the recipient does open the attachment, it automatically downloads malware onto their computer.

Similar to the first two examples, the attacker was deliberate about choosing the display name. But this attacker was especially clever and formatted the “From” name to appear to be both the display name and the sender name, further hiding the actual email address they used.

Tax Themed Email Scams Docu Sign

Example of tax-themed email attack designed to appear as a DocuSign notification

DocuSign is one of the most impersonated brands in credential phishing attacks. Since the use of DocuSign is generally reserved for important and/or confidential documents, cybercriminals know posing as that brand and claiming tax documents are in need of attention will likely convince the target to not think twice about clicking on a link in an email they weren’t necessarily expecting to receive.

The decision of the attacker to send a bogus DocuSign notification does limit their opportunities to tailor the content to a specific theme. That being said, the perpetrator of this attack capitalized on every opportunity they did have.

They set the display name as “Irs by DocuSign” and referenced tax documents in both the subject line and the message content. The threat actor went so far as to include the name of an actual tax professional in the email body—all in an attempt to deceive the target into clicking on the Review Documents button and entering their information into a phishing page.

Tax Themed Email Scams Docu Sign QR Code

Example of tax-related QR code phishing attack

The sudden and widespread adoption of QR codes in 2020 presented attackers with a novel way to exploit trusted communication tools and deceive end users.

One of the biggest advantages that QR code phishing attacks like this one offer threat actors is that it moves the attack away from the target’s laptop—which is within the purview of the organization and its security controls—to the target’s mobile device, which lacks the same level of protection. Using a QR code instead of a hyperlink also obfuscates the destination URL, making it more difficult for legacy security solutions to determine if the link is safe or malicious.

In the same vein as the previous DocuSign impersonation, the perpetrator of this attack personalized the email as much as possible. They included a fake email header within the message that contained the target’s company name and also incorporated the company into the name of the fraudulent file that is purportedly awaiting review. The attacker even made sure to maximize the sense of urgency by adding a note that this email is the “final reminder.”

Protecting Your Employees from Tax-Themed Email Attacks

As Tax Day approaches, the threat of tax return scam emails looms large. The examples discussed in this blog post serve as a stark reminder of how cybercriminals will exploit the stress and urgency associated with tax-related matters. By impersonating trusted entities like the IRS and leveraging well-known brands like DocuSign, attackers aim to deceive unsuspecting victims and gain access to sensitive information.

Collaboration between IT teams and employees is crucial in combating email attacks. Encouraging employees to report suspicious emails promptly and regularly reinforcing email security best practices helps keep everyone informed and reduces risk to the organization. Still, the most effective way to prevent employees from engaging with malicious messages is to ensure they’re never delivered in the first place by implementing an AI-native email security solution that detects and proactively blocks threats like these.


For more insight into recent attack trends, including the rising threat of QR code phishing attacks, download the H1 Email Threat Report.

Get the Report
Beware: 5 Tax-Related Email Scams You Need to Know About

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story Blog 8
A Fortune 500 transportation and logistics leader blocked more than 6,700 attacks missed by Proofpoint and reclaimed 350 SOC hours per month by adding Abnormal to its security stack.
Read More
B Gartner MQ 2024 Announcement Blog
Abnormal Security was named a Leader in the 2024 Gartner Magic Quadrant for Email Security Platforms and positioned furthest for Completeness of Vision.
Read More
B Gift Card Scams Tricker to Spot Blog
Learn why gift card scams are becoming more difficult to identify, how cybercriminals evolve their tactics, and strategies to protect your organization.
Read More
B Offensive AI 12 16 24
Learn how AI is used in cybersecurity, what defensive AI vs. offensive AI means, and how to use defensive AI to combat offensive AI.
Read More
B Proofpoint Customer Story Blog 7
See how Abnormal's AI helped a Fortune 500 insurance provider detect 27,847 threats missed by Proofpoint and save 6,600+ hours in employee productivity.
Read More
B Cyberattack Forecast Emerging Threats Blog
Uncover the latest email threats and strategies to strengthen your cybersecurity and prepare for 2025.
Read More