Tax-Related Email Attacks Set to Spike in May

Recent email attacks detected by Abnormal Security, combined with an analysis of historical attack data, indicate that email attacks related to federal taxes are likely to spike in the coming weeks in advance of the May 17 filing deadline.

As seen in Figure 1 below, tax-related attacks in 2021 have followed a similar pattern as 2020, where attack volume steadily increased throughout the early weeks of March. Last year, the IRS announced on March 21 that the filing deadline would be extended until July 15. This was followed by a significant slowdown of tax-related email attacks – a 59% reduction from the week of July 15 to the week of July  22. Volume remained low until July 5, 2020 – 10 days before the tax deadline – when tax-related email attacks surged. Attack volume increased 122% between the weeks of June 28 and July 5.  

In 2021, Abnormal’s data points to a similar trajectory, with attack volume increasing through the early weeks of March before a March 17 announcement that the filing deadline would be extended until May 17. Tax-related attacks immediately cratered, falling by 60% between the weeks of March 14 and March 21. As we approach the new May deadline, Abnormal Security expects to see a dramatic increase in tax-related email attacks, mirroring activity in 2020.

Figure 1: week-to-week attacks in 2020 overlaid on week-to-week attacks in 2021 to date. We use the metric of attacks per 1,000 mailboxes to normalize for different-sized organizations in the dataset.

When comparing tax-related email attack data between 2020 and 2021, Abnormal Security researchers have found that, compared to this time last year, attack volume for customers who were integrated in both 2020 and 2021 is up a whopping 400% (see Figure 2), indicating that the upcoming spike will be significant. 

Figure 2

While the volume of tax-related email attacks is much higher this year, total attack volume is consistent with 2020 data. This is likely a result of opportunistic attackers leveraging the fear and confusion around the COVID-19 pandemic in the Spring of 2020, as seen in Figure 3.

Figure 3: Tax-related attacks vs. COVID-related attacks in 2020.

What to Look For: About the Attacks

With the likelihood of increased attack activity leading up until the May 17 filing deadline, employees and security teams can learn from an analysis of year-to-date email attack data. Major themes included the status of users’ tax refunds, additional tax credits, and issues with their tax filings. Attacks impersonating or spoofing tax collection agencies have been prevalent;

  • 14.6% of all tax-related email subjects referenced the IRS,
  • 11.8% reference Her Majesty’s Revenue and Customs (HMRC), the UK’s tax agency
  • 52% of spoofing or impersonation tax-related attacks referenced the IRS in the “from” address

The top attack groups have used subject lines that include: “[EXT] Claim your free tax credit today”, “[EXT] Are you a future crypto tax preparer”, “HMRC Fourth SEISS Tax Refund Notification“, “Recalculation of Your Tax Refund Payment“, “Fw: Accepted Tax Payment: INTUIT SERVICE NOTICE.”

This year’s tax-related attack data points to malicious actors becoming increasingly sophisticated in their targeting of high-level, VIP recipients. This is supported by the fact that:

  • Nearly 100% of attacks have targeted individuals rather than group mailboxes;
  • Twelve percent of attacks targeted VIP employees, a 90% increase over the percentage of attacks targeting VIPs across all attack types (6.7%) during this period;

Additionally, employees with Head, VP, and finance titles were recipients of tax-related attacks disproportionate to their base percentages, seeing 33%, 100%, and 300% higher attack percentages than typical (see Figure 4 below)

Job Level% of recipients at this level receiving a tax-related attack% of recipients at this level receiving any attack
Figure 4: Attacks broken down by targets within the organization.

Abnormal Security researchers found that the majority of malicious tax-related attacks (63.9%) were attempts at credential phishing. Credential phishing can lead to compromised accounts, providing attackers with a foothold inside the organization and putting the organization at risk for data loss or further attacks launched from within. Credential phishing was followed by malware (13.2%), reconnaissance (6.8%), and scams (5.8%) as the top attack motives (see Figure 5 below).

Figure 5: Breakdowns of attack goals for tax-related attacks.

Attack Examples

Included below are examples of an IRS and HMRC email attacks targeting employees.

Figure 6: Attackers impersonating the IRS

Figure 7: Attackers impersonating Her Majesty’s Revenue & Customs, the tax agency for the United Kingdom.

While tax agency impersonation and spoofing attacks have been the most common types of attacks, Abnormal researchers have found a number of examples of where attackers are impersonating internal resources and employees. For example, Figure 8 shows an attack targeting employees of a Fortune 500 printing and digital services company in which a high-ranking employee was impersonated, asking employees to click on a malicious link. Additionally, Figure 9 shows an impersonation attack perpetrated against one of the world’s largest beverage companies where employees were asked to click on a phony voicemail forwarded by an executive with the company. 

Figure 8: An attack perpetrated against a F500 printing and digital services company.

Figure 9: An attack perpetrated against one of the world’s largest beverage companies.

Business email compromise attacks are a constant threat to enterprises and their employees. While malicious threat actors are gearing up to focus on the tax deadline to carry out upcoming attacks, their methods are constantly changing. Most organizations and their employees are not prepared for the level of sophistication inherent in modern email attacks. To protect your organization from novel attacks like these, which often get past traditional email security solutions, ​request a demo​ to see how Abnormal Security can help you.

Related content