How to avoid phishing scams as we approach this year's tax deadline
U.S. taxpayers beware! Tax scams and malware attacks are running rampant as we approach this year's tax deadline -- mostly driven by phishing scams.
With the looming April 18 US tax deadline, cybercriminals have sprung into action. For one, a devious Emotet malware phishing campaign has been launched, masquerading as official W-9 tax form emails sent from the Internal Revenue Service (IRS) and companies that may be connected to your work life. A malicious group known as Tactical#Octopus is also on the prowl and looking to spread malware through fake file downloads claiming to be related to taxes.
Furthermore, we predict that enterprises will have to look for more business controls when employees use Line and WhatsApp in the cloud workplace. They will also need to scrutinize SMS risks, as phishers continue to leverage it to scam people out of their money. And it’s only a matter of time until another major breach takes place, originating from these non-sanctioned communication channels… Let’s dive deeper into the facts and predict how cybercriminals will wreak havoc during this year’s tax filing processes.
The Dangers of Emotet Malware
Emotet is a modular Trojan that can steal sensitive data from infected systems, deploy additional malware, and evade detection by security software. One of the latest tactics used by cybercriminals to distribute Emotet is the fake W-9 IRS tax form scam. This scam involves sending an email with a fake W-9 form as an attachment that prompts the user to enable macros to view the contents of the form. Once the user enables macros, the malware is downloaded onto their system.
In addition to these phishing emails and tax scams, Emotet can also spread through exploit kits that take advantage of vulnerabilities in unpatched software. Exploit kits can be delivered through malicious websites, malvertising (malicious advertising), or compromised web servers. Once a user visits a website that hosts an exploit kit, the exploit kit automatically scans their system for vulnerabilities and deploys the malware if a vulnerability is found.
The malware is highly advanced and can adapt to new environments quickly. It can also communicate with its command and control servers to receive new instructions and updates. The modular nature of Emotet malware means that cybercriminals can add new capabilities and features to the malware to suit their needs.
Tactical#Octopus on the Prowl
Cybersecurity experts are also warning about a dangerous group of hackers known as Tactical#Octopus who have devised an insidious ploy to gain access to unsuspecting victims' devices: deploying luring emails disguised with seemingly legitimate tax documents including W-2s and I-9 forms as well real estate purchase contracts in order to infect user machines with malicious malware.
According to the researchers, "Code execution begins when the user double clicks the shortcut file." Typically, the attack starts with emails that contain fraudulent .zip files that are password-protected. To sell the deception, the files have tax-related names like "JRCLIENTCOPY3122.zip" or "TitleContractDocs.zip." The .zip file also contains a .png file and a .lnk file.
The attackers then access victims' computers by having them download a seemingly innocuous PDF. Once opened with the default viewer, these malicious files grant hackers full control of the machine's system. The researchers observed that the hackers are using tools such as clipboard data tracking and keylogging to conduct their activities undetected.
"The TACTICAL#OCTOPUS campaign is overall relatively complex from an initial compromise standpoint," the researchers add.
Messaging Applications & Social Media Channels in the Crosshairs
Beyond these threats hanging over taxpayers’ heads, the upcoming tax deadline has also exacerbated other cybersecurity challenges. For one, enterprises will look for more business controls when employees use communication tools like WhatsApp and Line in the cloud workplace to share tax-related financial data.
Although WhatsApp is one of the most popular messaging apps in the world, it is often not sanctioned as a communication tool for highly regulated industries like pharma and financial services. It has no visibility, no scalable analysis for multi-language environments, and no archiving capability. The same is true for Line app, despite being recognized as a great alternative to WhatsApp and Facebook Messenger and having 178 million monthly active users.
These messaging applications and social media channels are being targeted as primary attack vectors. Around 45 percent of business communication happens in these digital channels beyond email. As a result, many are looking to put in place more robust controls for employees using these types of communications. These measures range from limiting access to certain applications or channels, even while ensuring that legitimate business needs can still be met.
Scammers Continue to Leverage SMS and Smishing Attacks
Cybercriminals are increasingly turning to SMS and other text messaging applications for malicious purposes. These short message service (SMS) attacks can result in serious online damage, including the theft of private data and spreading malware to unknowing users. Enterprises will be scrutinizing SMS risk in a bigger way in the coming months, we predict.
Smishing attacks, as they are often called, rely on SMS messages to dupe unsuspecting victims. Scammers will utilize manipulative phrases such as "Unusual Activity Report", or "Your account has now been put on hold," and suggest fake solutions with attachments or links in order to scam people out of sensitive personal data or even money. According to IRS Commissioner Danny Werfel:
Email and text scams are relentless, and scammers frequently use tax season as a way of tricking people. With people anxious to receive the latest information about a refund or other tax issue, scammers will regularly pose as the IRS, a state tax agency or others in the tax industry in emails and texts. People should be incredibly wary about unexpected messages like this that can be a trap, especially during filing season.
The IRS further reminds everyone that they follow carefully planned communication protocols to help protect taxpayers from fraud. All official contact with individuals is made via regular mail and not through email, text or social media; this applies both for tax bill notifications as well as refunds.
Non-Sanctioned Channels Will Eventually Cause a Major Breach
Finally, we predict that a major breach will originate in non-sanctioned communication channels.
This will eventually be brought about by stricter security and compliance processes that might slow down or hinder employees in some shape or form. When employees feel restricted by their security and compliance solutions, they may go to extreme lengths in order to bypass the regulations -- jeopardizing a company's safety measures. As we predicted at the beginning of 2023, this trend will escalate well into the year.
This will lead to a growing tension between employees and employers, as the latter seek to ensure greater security while still allowing the former to carry out their work efficiently.
However, it’s important to remind employees that social engineering attacks from employee-owned communication channels are highlighted in the news on a weekly basis. Cybercriminals continue to target high value employees on LinkedIn, Telegram, Line, and WhatsApp to infiltrate enterprises. Both sides of the organization -- the employer and the employees -- must find a compromise between productivity and security.
Organizations must therefore balance effective security controls with user experience, or risk losing access to vital communication platforms that could be instrumental in driving business success. Employers may struggle to enforce mandates and policies, but at the end of the day, they will have to weigh the risk versus rewards.
How to Protect Against Tax Scams
The following are best practices for individuals and organizations to adopt to protect themselves from tax scams:
- Be vigilant when receiving unsolicited emails or attachments and verify the sender's identity before opening or downloading any files. Don't click on links or open attachments in emails from unknown sources, and always double-check the sender's email address and content for any signs of phishing attempts.
- Enable macro-blocking in Microsoft Office to prevent macro-based attacks and keep software up to date to prevent exploits from taking advantage of known vulnerabilities. Many campaigns use malicious macros to deliver malware, so it's crucial to block macros by default and only allow them in trusted documents.
- Use reputable cybersecurity solutions that can detect and block Emotet and regularly backup important data to prevent data loss from ransomware attacks. Cybersecurity platforms like SafeGuard Cyber can detect and remove malware and other malicious software. Backing up your data ensures that you don't lose important files in case of a ransomware attack.
- Educate your employees on how to identify and report phishing attempts and other suspicious activity to your IT department or local authorities to help prevent future attacks. Regular security awareness training can go a long way in helping employees identify and avoid phishing attacks, suspicious emails, and social engineering tactics.
As the tax deadline looms and security threats like Emotet malware and Tactical#Octopus are active, enterprises must be mindful of potential cybersecurity threats that can arise from workplaces with cloud-based communication tools like Telegram, Line, or WhatsApp. SMS is particularly vulnerable to phishing scams for illicit monetary gain -- making it only a matter of time before the next big breach becomes reality.
By adopting these best practices, individuals and organizations can stay protected from these tax scams. Remember that prevention is always better than cure, and investing in cybersecurity measures and training can go a long way in mitigating the risks associated with these threats.
Steven Spadaccini, VP Threat Intelligence, SafeGuard Cyber. Steven is a seasoned senior cyber executive with more than 20 years of experience working for some of the highest-profile cybersecurity and technology companies in the world. Prior to joining SafeGuard Cyber, Steven held senior VP leadership positions at Absolute, Trend Micro, Imperva, FireEye (Trellix), and DTEX Systems as well as several other cyber security startups.