Tax-Related Email Attacks Set to Spike in May

April 28, 2021

Recent email attacks detected by Abnormal Security, combined with an analysis of historical attack data, indicate that email attacks related to federal taxes are likely to spike in the coming weeks in advance of the May 17th filing deadline.

Tax-related attacks in 2021 have followed a similar pattern as 2020, where attack volume steadily increased throughout the early weeks of March. Last year, the IRS announced on March 21 that the filing deadline would be extended until July 15th. This was followed by a significant slowdown of tax-related email attacks—a 59% reduction from the week of July 15th to the week of July 22th. Volume remained low until July 5, 2020—10 days before the tax deadline—when tax-related email attacks surged. Attack volume increased 122% between the weeks of June 28th and July 5th.

In 2021, Abnormal’s data points to a similar trajectory, with attack volume increasing through the early weeks of March before a March 17th announcement that the filing deadline would be extended until May 17th. Tax-related attacks immediately cratered, falling by 60% between the weeks of March 14th and March 21th. As we approach the new May deadline, Abnormal Security expects to see a dramatic increase in tax-related email attacks, mirroring activity in 2020.

When comparing tax-related email attack data between 2020 and 2021, Abnormal Security researchers have found that, compared to this time last year, attack volume is up a whopping 400%, indicating that the upcoming spike will be significant.

While the volume of tax-related email attacks is much higher this year, the total attack volume is consistent with 2020 data. This is likely a result of opportunistic attackers leveraging the fear and confusion around the COVID-19 pandemic in the spring of 2020.

What to Look For: About the Tax Attacks

With the likelihood of increased attack activity leading up until the May 17th filing deadline, employees and security teams can learn from an analysis of year-to-date email attack data. Major themes included the status of users’ tax refunds, additional tax credits, and issues with their tax filings. Attacks impersonating or spoofing tax collection agencies have been prevalent, with:

  • 14.6% of all tax-related email subjects referencing the IRS,
  • 11.8% referencing Her Majesty’s Revenue and Customs (HMRC), the UK’s tax agency, and
  • 52% of spoofing or impersonation tax-related attacks referencing the IRS in the “from” address

The top attack groups have used subject lines that include the following:

  • “[EXT] Claim your free tax credit today”
  • “[EXT] Are you a future crypto tax preparer”
  • “HMRC Fourth SEISS Tax Refund Notification“
  • “Recalculation of Your Tax Refund Payment“
  • “Fw: Accepted Tax Payment: INTUIT SERVICE NOTICE”

This year’s tax-related attack data points to malicious actors becoming increasingly sophisticated in their targeting of high-level, VIP recipients. This is supported by the fact that nearly 100% of attacks have targeted individuals rather than group mailboxes. In addition, 12% of attacks targeted VIP employees—a 90% increase over the percentage of attacks targeting VIPs across all attack types (6.7%) during this period;

Additionally, employees with Head, VP, and finance titles were recipients of tax-related attacks disproportionate to their base percentages, seeing 33%, 100%, and 300% higher attack percentages than typical.

Job Level% of Recipients Receiving a Tax-Related Attack% of Recipients Receiving Any Attack
HEAD25%19%
VP9%4%
FINANCE4%1%
ASSISTANT3%3%
C-SUITE3%2%
GROUPS~0%.2%
OTHER56%66%

Abnormal Security researchers found that the majority of malicious tax-related attacks (63.9%) were attempts at credential phishing. Credential phishing can lead to compromised accounts, providing attackers with a foothold inside the organization and putting the organization at risk for data loss or further attacks launched from within. Credential phishing was followed by malware, reconnaissance, and scams as the top attack motives.

Protecting Yourself from Business Email Compromise Attacks

While tax agency impersonation and spoofing attacks have been the most common types of attacks, Abnormal researchers have found a number of examples of where attackers are impersonating internal resources and employees. One attack targeted employees of a Fortune 500 printing and digital services company and a high-ranking employee was impersonated, asking employees to click on a malicious link. Another impersonation attack perpetrated against one of the world’s largest beverage companies asked employees to click on a phony voicemail forwarded by an executive with the company.

Business email compromise attacks are a constant threat to enterprises and their employees. While malicious threat actors are gearing up to focus on the tax deadline to carry out upcoming attacks, their methods are constantly changing. After this spike, we expect cybercriminals to return to their most successful attacks, including brand impersonation and credential phishing attacks that tend to bypass traditional secure email gateways.

To protect your organization from novel attacks like these, ​request a demo​ to see how Abnormal Security can help you.

Previous
Blog ai algorithm
Our ML pipeline powers a detection engine that catches the most advanced email attacks. These attacks are not only extremely rare, but also change over time in an adversarial way. Since we require both high precision and high recall, and the cost of any error is severe, it is essential...
Read More
Next
Blog purple white diamonds
A request for quote (RFQ) continues to increase in popularity as an attack type, as vendors are likely to open the attachments or click the links associated with these types of email. In this attack, attackers disguise harmful malware as a RFQ...
Read More

Related Posts

Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More
Blog yellow skyline
No one wants to receive an email from human resources that they aren’t expecting. After all, that usually means bad news. And when we think there may be bad news, cybersecurity training tends to fall by the wayside. Threat actors know this, and they’re taking advantage of human emotions.
Read More
Blog rising building
There is little doubt that business email compromise and other advanced email threats are causing significant damage–both financial and reputational—to organizations worldwide. Because these never-before-seen attacks contain few indicators of compromise, they evade secure email gateways and other traditional email infrastructure...
Read More
Blog purple person outline
Identity theft is not a joke, impacting more than 14 million people each year in the United States alone. Over the course of their lifetime, nearly one-third of all people will become victims of identity theft—often as a result of a corporate data breach. Once attackers have access to identifying information like your full name, address, date of birth, and/or social security number...
Read More