By Eric Howes, KnowBe4 Principal Lab Researcher. Once again we are starting tax season, and malicious actors are spinning up phishing campaigns to exploit the myriad opportunities afforded by this annual ritual to trick unsuspecting users into coughing up their money, identities, and the credentials to online accounts.
Curiously, these campaigns are proceeding even though the U.S. government is partially shut down, causing widespread confusion over whether the IRS will be sufficiently operational to process tax returns and issue refunds. The bad guys, of course, appear to be facing no operational difficulties and are more than happy to step in to take your refunds, your bank accounts, and your identity.
Although we have not as yet seen the now infamous W-2 phishing campaigns that have plagued previous tax seasons, they are almost certainly on the near horizon. Until then users and IT admins should be on the lookout for the several tax-themed phishing campaigns that are landing in inboxes right now.
First, amidst a more general increase in voicemail-themed phishing campaigns, malicious actors are now flooding users' inboxes with ominous warnings about alleged voice mails from the IRS.
The malicious links in these emails point to a spoofed Microsoft login page, which ought to be a tip-off that something is amiss.
Users who fall for this ruse and enter their login credentials will, of course, be compromising their online accounts, providing the bad guys a beachhead inside their organization's network.
Second, as in previous years malicious actors are once again targeting accounting firms and legal practices that specialize in tax matters, pretending to be new clients looking for help with tax preparation and related issues. While the goal of these phishing emails is often to draw targeted employees into a back-and-forth that provides a pretext for malicious actors to hit potential marks with malicious Office documents that often install sophisticated backdoor trojans, in some cases the bad guys do not wait, offering up malicious links and attachments in the initial email.
Tax professionals who click these links or open those attachments are putting their own clients' data at risk. Law firms and accounting practices are highly lucrative targets for malicious actors, as these organizations are treasure troves of sensitive client data that can exploited for identity theft and other forms of financial fraud. And tax season is a prime opportunity for malicious online actors to deploy social engineering schemes that leverage victims' own inevitable focus on tax issues to gain access to this incredibly valuable data.
It's not just the data of individual tax filers that are at risk, though. Companies and organizations should be equally concerned that these tax-themed phishing campaigns could be used to compromise their networks and, as a result of such a breach, the security of data belonging to their own employees, customers, and clients. And as the data of your clients, customers, and employees goes, so, too, does your organization's reputation, financial integrity, legal exposure, and customer/client base.
While standard anti-virus applications have seen some improvements in detecting and blocking these kinds of social engineering schemes, they cannot replace routine New-school Security Awareness Training, which is properly designed to harden the real targets of these phishing schemes: your all-too-human users.
If you've ever wondered just how vulnerable your users are to these kinds of sophisticated phishing campaigns -- malicious email campaigns they will almost certainly be encountering over the next few months -- tax season is the perfect excuse to find out.
