April 18 marks the end of the 2022 US tax season and those individuals who are yet to file their taxes should get a move on.
But they should not throw caution to the wind, as scammers, fraudsters, phishers and malware peddlers are working hard to exploit the rush to make the deadline.
The latest tax-themed scams and malicious tactics
Scammers and malware peddlers employ some methods repeatedly over the years, because they still work.
“Many of us receive text messages from scammers impersonating a variety of companies including the IRS. While this may seem legit, the IRS does not use text messages for personal tax issues nor do they send taxpayers messages on social media especially in regards to bills or refunds,” Lookout researchers caution.
Phone scams impersonating the IRS and leaving pre-recorded, threatening or urgent messages are also abundant, and so are emails that appear to be from the IRS or affiliated organizations and ask taxpayers to share sensitive information.
“Threat actors often put in the least amount of work possible for a maximum return, sending out phishing emails to thousands of targets. Even if less than one percent of victims respond, the return on investment is still significant due to the gain of personally identifiable information (PII) and/or establishing a foothold within an organization using stolen credentials, malware, or other means,” Fortinet researchers Shunichi Imano and Val Saengphaibul noted, and warned about recent campaings involving IRS-themed email delivering Emotet and a W-8 themed tax scam.
Trend Micro warns about the usual tax refund scams, stimulus payments scams, and phone scams during which the scammers pretend to be from the IRS Taxpayer Advocate Service and ask for the target’s SSN, Individual Taxpayer Identification Number (ITIN), or Identity Protection PIN.
Avanan researchers have documented yet another innovative approach: hackers are spoofing popular fintech apps like (personal finance app) Stash and (investment app) Public to trick users into sharing their login credentials and personal information.
The fake emails take the form of a notification that the target’s tax document is ready.
“It’s a clever strategy, as fintech apps represent a huge amount of users to scam. According to one study, 88% of Americans use some form of fintech, up from 58% in 2020,” Avanan researchers noted.
“Further, these sorts of scams may catch users off guard. They may not be expecting tax documents from these apps, inducing them to click. Since most of these services are mobile-first, users may receive this on their phone and may forget about typical cyber hygiene.”
Andrew Whaley, Senior Technical Director at Promon, also recently warned about fake mobile tax apps pushing malware.
How to keep safe
The IRS has implemented some additional protections last year to help taxpayers avoid identity theft and is contantly issuing alerts about specific approaches scammers and fraudsters are using to target individuals and organizations, as well as offering advice on minimizing exposure to fraud and identity theft.
In general, beware of unsolicited emails and attachments – they might be carrying malware – and watch out for spoofed websites.
“Don’t provide any information that isn’t required or satisfy unnecessary requests. The IRS will never ask for your login credentials. Its agents won’t demand immediate payments through a specific method, such as a wire transfer or prepaid debit card,” advises Matthew McGuirk, Solution Architect at Source Defense.