It’s not tax season in the United States, but the Internal Revenue Service (IRS) is warning on a new phishing scam built to take advantage of the Oct. 15 deadline for extension filers.
The perpetrators are impersonating tax software providers and attempting to steal usernames and passwords from tax preparation professionals. Once they have their credentials in hand, the bad actors can access the preparers’ accounts and steal client information.
“This sophisticated scam yet again displays cybercriminals’ tax savvy and underscores the need for tax professionals to take strong security measures to protect their clients and protect their business,” the IRS said, in an alert.
“Frankly, it’s not surprising,” said Mike Wyatt, threat researcher at digital threat management firm RiskIQ, via email. “Cybercriminals very often leverage holidays, events and other important dates in their threat campaigns—so it makes perfect sense that a group is capitalising on the extended tax deadlines coming up. Ultimately, getting people to click on their links requires social engineering, and leveraging themes and holidays is a reliable tactic for them. For example, we saw a huge increase in phishing and fake mobile apps during Black Friday and during the Pokemon Go craze.”
This latest scam variation hinges on emails that come with subject lines that read, “Software Support Update” or “Important Software System Upgrade.” The emails thank recipients for continuing to trust the software provider to serve their tax preparation needs and mimics the software providers’ email templates. Then they cut to the chase.
The messages inform recipients that due to a recent software upgrade, the preparer must revalidate their login credentials. It provides a link to a fictitious website that mirrors the software provider’s actual login page.
“Savvy threat actors will use convincing branding, language and URLs to make phishing attempts more realistic and more difficult for users to quickly determine the email’s authenticity,” Wyatt said. “However, most brands have very little insight into how their branding is being used in threat campaigns across digital channels. This is a very bad thing, because even though the legitimate brands, like the tax software providers in this instance, have nothing to do with the threat campaigns, many customers will still blame them. In general, people tend to directly associate the legitimate brands with the bad things that happen to them via the fraudulent use of their branded terms, seriously eroding trust.”
Tax professionals and consumers alike can protect themselves by carefully vetting emails before clicking on links related to tax software or filing one’s taxes, he added. When in doubt, pick up the phone and verify the issue before continuing.