Beware: 5 Tax-Related Email Scams You Need to Know About

The impending arrival of Tax Day always brings a surge in email attacks aimed at exploiting the stress and anxiety associated with April 15.
April 2, 2024

Tax Day 2024 is fast approaching, which means attackers attempting to take advantage of the urgency and importance of this deadline have been out in full force.

Below are five real-world examples of email attacks illustrating the various ways threat actors incorporate tax-related themes into their malicious messages. By understanding their tactics, organizations can help employees more easily identify and mitigate these kinds of cyber threats.

5 Tax Return Scam Emails

Tax Themed Email Scams IRS Logo

In this credential phishing attack, the threat actor chose to go all in and impersonate the IRS itself—even embedding the IRS logo into the body of the email.

The attacker claimed that the target’s tax refund cannot be issued until they verify their information using the included link. The link led to an online form hosted on Formstack, a workplace productivity platform that allows users to build bespoke online forms, akin to Google Forms. To further increase the appearance of legitimacy, the attacker customized the URL to taxstatement[.]formstack[.]com/forms/irs.

Because the attacker sent the email using an iCloud address and utilized a legitimate software platform as their phishing mechanism, it minimized the signals traditional security solutions use to detect malicious emails, such as known-bad domains.

Tax Themed Email Scams Claim Your Refund

As in the previous example, the threat actor who launched this phishing attack opted to pose as the IRS and send a message related to the target’s tax refund.

However, instead of claiming there was an issue with the recipient’s rebate, the perpetrator of this attack elected to go a more positive route and affirm the target’s eligibility for a refund. Nevertheless, they were sure to manufacture a sense of urgency by informing the target they could only claim this refund within three days of receiving the email.

In both of these attacks, the threat actors set the display name as something simple that incorporated “IRS”. Because many mobile email clients do not show full email headers, if either of the targets of these attacks viewed the message on their mobile device, they would only see the misleading sender display name.

Tax Themed Email Scams Sharepoint

In this attack, the threat actor impersonated an internal system at the target’s company and emailed a file-sharing notification.

The body of the email is designed to look like a message from Microsoft regarding a folder named “Tax Documents” but, in reality, it is just an image that the attacker embedded into the message. Rather than hyperlink the image to a malicious website, the threat actor informed the target they must open the attachment to view the shared folder. Unfortunately, if the recipient does open the attachment, it automatically downloads malware onto their computer.

Similar to the first two examples, the attacker was deliberate about choosing the display name. But this attacker was especially clever and formatted the “From” name to appear to be both the display name and the sender name, further hiding the actual email address they used.

Tax Themed Email Scams Docu Sign

DocuSign is one of the most impersonated brands in credential phishing attacks. Since the use of DocuSign is generally reserved for important and/or confidential documents, cybercriminals know posing as that brand and claiming tax documents are in need of attention will likely convince the target to not think twice about clicking on a link in an email they weren’t necessarily expecting to receive.

The decision of the attacker to send a bogus DocuSign notification does limit their opportunities to tailor the content to a specific theme. That being said, the perpetrator of this attack capitalized on every opportunity they did have.

They set the display name as “Irs by DocuSign” and referenced tax documents in both the subject line and the message content. The threat actor went so far as to include the name of an actual tax professional in the email body—all in an attempt to deceive the target into clicking on the Review Documents button and entering their information into a phishing page.

Tax Themed Email Scams Docu Sign QR Code

The sudden and widespread adoption of QR codes in 2020 presented attackers with a novel way to exploit trusted communication tools and deceive end users.

One of the biggest advantages that QR code phishing attacks like this one offer threat actors is that it moves the attack away from the target’s laptop—which is within the purview of the organization and its security controls—to the target’s mobile device, which lacks the same level of protection. Using a QR code instead of a hyperlink also obfuscates the destination URL, making it more difficult for legacy security solutions to determine if the link is safe or malicious.

In the same vein as the previous DocuSign impersonation, the perpetrator of this attack personalized the email as much as possible. They included a fake email header within the message that contained the target’s company name and also incorporated the company into the name of the fraudulent file that is purportedly awaiting review. The attacker even made sure to maximize the sense of urgency by adding a note that this email is the “final reminder.”

Protecting Your Employees from Tax-Themed Email Attacks

As Tax Day approaches, the threat of tax return scam emails looms large. The examples discussed in this blog post serve as a stark reminder of how cybercriminals will exploit the stress and urgency associated with tax-related matters. By impersonating trusted entities like the IRS and leveraging well-known brands like DocuSign, attackers aim to deceive unsuspecting victims and gain access to sensitive information.

Collaboration between IT teams and employees is crucial in combating email attacks. Encouraging employees to report suspicious emails promptly and regularly reinforcing email security best practices helps keep everyone informed and reduces risk to the organization. Still, the most effective way to prevent employees from engaging with malicious messages is to ensure they’re never delivered in the first place by implementing an AI-native email security solution that detects and proactively blocks threats like these.

For more insight into recent attack trends, including the rising threat of QR code phishing attacks, download the H1 Email Threat Report.

Get the Report
Beware: 5 Tax-Related Email Scams You Need to Know About

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

Social Images for next Cyber Savvy Blog
Explore how Alex Green, the CISO of Delta Dental, safeguards over 80 million customers against modern cyber threats, and gain valuable insights into the cybersecurity landscape.
Read More
B Images for EDB Blog from Sanjay
Abnormal is excited to announce the establishment of a strategic partnership with the Singapore Economic Development Board (EDB).
Read More
B Automotive Data Blog
Research reveals the automotive industry has become a popular target for business email compromise and vendor email compromise attacks. Learn why.
Read More
B QR Code Phishing Blog
QR code phishing is the newest iteration of phishing. Learn about the latest malicious initiative designed to evade organizational security measures and manipulate targets.
Read More
B Integrations
Discover how Abnormal's innovative platform integrations are providing customers with enhanced threat detection, efficient incident response, and more.
Read More
B Threat Hijacking Multi Persona Attacks Blog
Discover how threat actors are creating more sophisticated attacks utilizing lookalike domains and new personas, and learn how Abnormal can detect these attacks.
Read More