
Another year, another tax deadline, and yet another opportunity for scammers to lure email users through tax themed phishing attacks. Although tax season is always peak time for email scams, this year brought on an interesting shift in the threat tactics used by social engineers. This blog will break down a prevalent social engineering attack campaign identified by Fortra, the latest change in phishing tactics, and how this campaign is predicted to evolve and persist even after the tax deadline has passed.
The Tax Scam
Phishing Email Content Analysis
Fortra has analyzed multiple instances of this attack campaign and identified the following threat patterns. The nature of this attack begins with the victim receiving an email that requests their assistance with tax filing. The lure begins with a generic greeting, such as “Hello”, indicating that this isn’t a spear phishing campaign. The lack of personalization and targeted greetings suggests that these emails are part of a broader phishing campaign where attackers recycle the emails with the aim of reaching as many potential victims as possible. The sender names and email domains tend to vary with each attack attempt. Fortra has observed the scam operating under numerous fake identities such as “Brenda” or “Susan”, with all instances lacking a last name. Another common pattern observed in these emails is that the reply-to email does not match the sender’s email, which is a common sign of a phishing attack. This mismatch in emails can allow the scammer to redirect email responses to another inbox, such as an attacker-controlled email account. Attackers tend to use this common tactic in phishing emails to evade detection controls.
The screenshot above highlights a variation identified in these lures which showcases the latest shift in tax scam tactics. In this version of the lure, the scammer expands on their backstory by claiming that they’re requesting the receiver's help because their older accountant was impacted by the recent California wildfires. This is a notable evolution in tax scam tactics as the attacker leverages recent world events in generic phishing lures to heighten the authenticity of the email content. Weaving emotionally charged calamities into a generic scam can invoke an emotional response from the recipient, which may hinder them further from identifying the signs of a phishing attack.
Fortra’s analysis also revealed that most of these emails tend to be well written with proper grammar, although a small subset may contain minor spelling errors, such as the “for” being misspelt as “f=r” in the first sentence of the screenshot above. The broadly improved writing quality of these scams could be attributed to attackers leveraging generative AI to create well composed deceiving email content. The increasing reliance of attackers on generative machine learning models is concerning to most cyber defenders and users alike, as it eliminates well known phishing indicators such as spelling mistakes and grammatical errors which can hinder the end user’s ability from identifying social engineering attempts.
The Malware Injection
When the recipient agrees to assist the scammer with their taxes by responding to their email, they receive an attachment shared through an external download link. The attacker uses this technique to conceal the malicious file under the guise of sharing their tax documents with the user, which is an attempt at tricking the end user to download malware. Additionally, the scammer uses an external link to host the attachment to conceal their malicious file from recognition by email security controls and filters. This is due to the fact that attackers can generate almost infinite variations of unique phishing links, host malicious files on legitimate service providers’ sites, or even use link shorteners to obscure a phishing link. On the other hand, attaching malicious files directly within an email is much easier to thwart because they can be easily identified if their hash has been matched to a known malware signature. Hence, leveraging the variability of phishing links to direct users to an external file hosting site is an effective threat tactic at bypassing email attachment security controls.
Upon downloading this deceptive PDF document, the tax preparer’s device is infected with an executable that can steal sensitive financial data and personally identifiable information (PII). Given that this scam targets potential victims such as tax preparers, accountants, and other professionals in the financial industry, this malware injection allows the threat actor to compromise a wide portfolio of PII and financial data from various clients. The scammer can then exploit this suite of sensitive information to redirect the deposits of a client’s tax return into an attacker-controlled bank account, effectively conducting fraud, theft, and identity compromise. Additionally, threat actors could even sell this information on the dark web or further leverage the PII to launch highly advanced and targeted spear phishing campaigns against the victims.
How Could This Threat Persist After the Tax Deadline?
Although most users assume that these scams will no longer be a threat to their inboxes once the tax deadline has passed, Fortra’s analysis has revealed otherwise. Fortra’s threat research predicts that this phishing campaign is likely to continue post tax deadline as it proved effective in reaching a widespread audience of email users. The scam content will likely evolve to remain relevant enough to invoke a response from the victim. For example, recipients can expect to see new versions of the email content that replace the attacker’s mention of the California wildfires with future world events, especially those that can invoke emotionally charged responses from the user. Additionally, the scammer may also change the email’s backstory from requesting help with tax filing to, instead, asking for the recipient’s help with a tax extension, filing overdue taxes, or even filing taxes from a previous year. These predicted variations will preserve the relevance of the scam beyond the latest tax season and add a layer of realism that tricks the user into further believing the authenticity of this nefarious tax assistance request.
In conclusion, phishing attacks will always continue to evolve as attackers regularly enhance their arsenal of malicious techniques and tactics. These email social engineering threats are widespread and can target your inbox across any phase of the cyber attack chain. An adversary can send test phishing emails to verify active email addresses while conducting reconnaissance, or scammers can use emails to deliver malware as analyzed in this blog post. Fortra offers a comprehensive suite of cybersecurity solutions that can help you remain vigilant in the face of these ever-evolving threats.
Fortra’s advanced portfolio of cybersecurity solutions can help you break the attack chain.