Your Taxes Are Done but the Scammers Aren’t

Fortra analyzed multiple instances of this attack campaign and identified the following threat patterns. The nature of this attack begins with the victim receiving an email that requests their assistance with tax filing. The lure begins with a generic greeting, such as “Hello”, indicating that this isn’t a spear phishing campaign. The lack of personalization and targeted greetings suggests that these emails are part of a broader phishing campaign where attackers recycle the emails with the aim of reaching as many potential victims as possible. The sender names and email domains tend to vary with each attack attempt. Fortra has observed the scam operating under numerous fake identities such as “Brenda” or “Susan”, with all instances lacking a last name. Another common pattern observed in these emails is that the reply-to email does not match the sender’s email, which is a common sign of a phishing attack. This mismatch in emails can allow the scammer to redirect email responses to another inbox, such as an attacker-controlled email account. Attackers tend to use this common tactic in phishing emails to evade detection controls. 

The screenshot above highlights a variation identified in these lures which showcases the latest shift in tax scam tactics. In this version of the lure, the scammer expands on their backstory by claiming that they’re requesting the receiver's help because their older accountant was impacted by the recent California wildfires. This is a notable evolution in tax scam tactics as the attacker leverages recent world events in generic phishing lures to heighten the authenticity of the email content. Weaving emotionally charged calamities into a generic scam can invoke an emotional response from the recipient, which may hinder them further from identifying the signs of a phishing attack.  

Fortra’s analysis also revealed that most of these emails tend to be well written with proper grammar, although a small subset may contain minor spelling errors, such as the “for” being misspelt as “f=r” in the first sentence of the screenshot above. The broadly improved writing quality of these scams could be attributed to attackers leveraging generative AI to create well composed deceiving email content. The increasing reliance of attackers on generative machine learning models is concerning to most cyber defenders and users alike, as it eliminates well known phishing indicators such as spelling mistakes and grammatical errors which can hinder the end user’s ability from identifying social engineering attempts.  

The Malware Injection  

When the recipient agrees to assist the scammer with their taxes by responding to their email, they receive an attachment shared through an external download link. The attacker uses this technique to conceal the malicious file under the guise of sharing their tax documents with the user, which is an attempt at tricking the end user to download malware. Additionally, the scammer uses an external link to host the attachment to conceal their malicious file from recognition by email security controls and filters.  This is due to the fact that attackers can generate almost infinite variations of unique phishing links, host malicious files on legitimate service providers’ sites, or even use link shorteners to obscure a phishing link. On the other hand, attaching malicious files directly within an email is much easier to thwart because they can be easily identified if their hash has been matched to a known malware signature. Hence, leveraging the variability of phishing links to direct users to an external file hosting site is an effective threat tactic at bypassing email attachment security controls.  

Upon downloading this deceptive PDF document, the tax preparer’s device is infected with an executable that can steal sensitive financial data and personally identifiable information (PII).  Given that this scam targets potential victims such as tax preparers, accountants, and other professionals in the financial industry, this malware injection allows the threat actor to compromise a wide portfolio of PII and financial data from various clients. The scammer can then exploit this suite of sensitive information to redirect the deposits of a client’s tax return into an attacker-controlled bank account, effectively conducting fraud, theft, and identity compromise. Additionally, threat actors could even sell this information on the dark web or further leverage the PII to launch highly advanced and targeted spear phishing campaigns against the victims.  

Why Tax Fraud Threats Persist After April 15

Although many users assume tax-related scams stop circulating after the filing deadline, Fortra’s analysis shows otherwise. Our threat research indicates this phishing campaign is likely to continue beyond tax season due to its proven effectiveness in reaching a broad audience of email users.

Rather than disappearing, the scam is expected to evolve to maintain relevance and elicit responses. Attackers may replace references to specific events — such as the California wildfires — with future real-world incidents that can trigger emotional engagement. They may also adjust the narrative, shifting from tax filing assistance to scenarios involving tax extensions, overdue filings, or prior-year returns.

These variations help preserve the scam’s relevance beyond tax season while increasing its credibility, making it more likely to deceive recipients into engaging with malicious requests for “tax assistance.”

Phishing attacks will continue to evolve as threat actors refine their tactics and expand their toolsets. These social engineering threats are widespread and can target inboxes at any stage of the cyberattack chain, from reconnaissance, where attackers verify active email addresses, to payload delivery, including malware campaigns like those discussed in this blog.

Fortra's comprehensive suite of cybersecurity solutions helps organizations stay vigilant and defend against these constantly evolving threats.