TrickBot Used in Tax Season Email Spoofing

As April 15, the US tax-filing deadline, swiftly approaches, cyber-criminals are taking advantage of the season, using campaigns to deceive three of the biggest accounting, tax services and payroll companies in the US, according to researchers at IBM X-Force.

In monitoring tax-related malicious activity, researchers found that threat actors have been using the financial malware TrickBot to impersonate companies, including ADP and Paychex

“These campaigns attempted to deceive recipients into believing they were emailed by large accounting, tax and payroll services firms and carried malicious Microsoft Excel attachments,” IBM’s John Zorabedian, Dr. Martin Steigemann and Ashkan Vila wrote in today’s blog post.  

“The size of the spoofed firms suggests the criminals are likely to have some success in snagging individual users and businesses that are customers of these well-known companies.” All three of the sample emails that were analyzed were written in English, indicating that the attackers were targeting victims in the United States.

A highly effective piece of malware, TrickBot is commonly used to infect devices and steal valuable data, including banking credentials, according to researchers. While the campaigns seem to be targeting businesses, these tax refund scams also pose risks to the 150 million people expected to file this year, and annually cost taxpayers at least $1.6bn, according to researchers.  

Credit: IBM X-Force
Credit: IBM X-Force

“To reinforce the illusion of legitimacy, the signatures of each of the emails mimic typical business signatures, including a name, job title and contact details, as well as mock email footers that the cybercriminals may have copied from legitimate business emails,” the authors wrote.

IBM’s X-Force researchers advise that end users open attachments with caution, particularly as recipients are more likely to expect emails from their tax service providers at this time of year. While electronically filing taxes may be more convenient, consumers should remember that the US Internal Revenue Service (IRS) does not initiate contact with taxpayers by email, phone, text messages or social media channels to request personal or financial information. To avoid tax scams, researchers warned not to respond to such requests.

What’s Hot on Infosecurity Magazine?