Fraud Management & Cybercrime , Fraud Risk Management , ID Fraud

IRS Warns of Fresh Fraud Tactics as Tax Season Starts

Site Spoofing, Phishing Campaigns Proliferate
IRS Warns of Fresh Fraud Tactics as Tax Season Starts

As tax season begins, the Internal Revenue Service is warning that it's seeing signs of fraudsters spoofing the agency's domains and incorporating its logos and language into phishing campaigns.

See Also: OnDemand | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Meanwhile, security experts warn of other fraud campaigns spoofing government departments, with some using themes capitalizing on COVID-19 economic relief programs.

Earlier this month, the IRS published a notification to tax professionals describing a phishing campaign that spoofs the agency's likeness, with fraudsters attempting to steal Electronic Filing Identification Numbers. The IRS issues these numbers to individuals or firms that have been approved as authorized IRS e-file providers.

In this phishing email scam, the fraudsters are trying to entice tax preparers to email documents that would disclose their identities and Electronic Filing Identification Numbers. The cybercriminals can then use this information to file fraudulent returns by impersonating the tax professional, the IRS notes.

"Like all phishing email scams, it attempts to bait the receiver to take action (opening a link or attachment) with a consequence for failing to do so (disabling the account)," according to the IRS alert. "The links or attachments may be set up to steal information or to download malware onto the tax professional's computer."

The IRS warning notes that fraudsters are also impersonating potential clients for tax preparers. This approach has become more effective because more transactions are being remotely conducted due to the COVID-19 pandemic. These phishing emails likely contained a malicious attachment that, when opened, would download malware, such as information stealers designed to record keystrokes or harvest credentials.

Text of recently spotted phishing email that incorporates language from the IRS (Source: IRS)

Besides Electronic Filing Identification Numbers, the fraudsters might attempt to steal tax pros' Preparer Tax Identification Numbers or e-services usernames and passwords, according to the IRS.

Government Domain Spoofing

Cybercriminals are getting better at spoofing government domains for their phishing campaigns and incorporating logos and language to give the messages a legitimate appearance, security experts say.

"Threat actors often spoof government sites and logos to socially engineer their targets into providing information," says Sherrod DeGrippo, senior director of threat research and detection at security firm Proofpoint.

"These types of attacks usually go beyond stealing simple authentication credentials, such as usernames and passwords, and attempt to steal personal information, including Social Security numbers and bank account information," DeGrippo notes. "We also see a variety of malicious domains registered to trick victims into clicking and entering information. For example, 'taxrefund,' 'taxrefund-claimhere' and 'claimrefundtax-online' are just some of the domains registered with various TLD extensions that distribute malicious payloads or act as phishing landing pages."

COVID-19 Themes

Besides the IRS, other federal agencies have uncovered fraudsters spoofing their sites, especially as part of fraud campaigns designed to take advantage of federal COVID-19 economic relief programs.

In August 2020, for example, security firm Malwarebytes uncovered a phishing campaign spoofing a U.S. Small Business Administration loan offer in an attempt to steal banking credentials and other personal data (see: Phishing Campaign Spoofs SBA Loan Offer).

The Financial Industry Regulatory Authority - or FINRA - which helps self-regulate brokerage firms and exchange markets in the U.S., has also warned about fraudsters creating spoofed websites and domains using members' real names and images in an attempt to steal personal information and credentials.

Tonia Dudley, a strategic adviser at security firm Cofense, says these types of spoofing or phishing campaigns often are launched when new websites are created to support new government benefits programs.

The goal of these campaigns is to steal credentials "to gain access to victims' financial accounts or money - trying to lure funds away from the target recipient," Dudley says.

Once new government benefits programs are established, Dudley says, "it doesn't take long for threat actors to mimic these sites to have success in their campaigns. Often, the threat actor will design their phishing kits … with official logos and website footers to add a level of authenticity."

'Tis the Season

Scams tied to the IRS usually start with the launch of each tax season.

A May 2020 report from Proofpoint tracked about 300 phishing campaigns that spoofed government domains or incorporated language and logos in phishing emails, many of which began around the time tax season started last year and the COVID-19 pandemic escalated.

Example of an IRS-themed phishing email seen in 2020 (Source: Proofpoint)

DeGrippo notes that fraudsters have recently spoofed tax and other government agencies in the U.K. and Europe as well.

Hank Schless, a senior manager at the security firm Lookout, says that his firm's research shows that one in 15 U.S. government workers - federal, state and local - have encountered a phishing email or threat in 2020. He also notes that mobile phishing emails increased 37% in 2020, in part, because fraudsters can buy phishing kits on underground markets.

"Phishing will continue to be one of the most complicated issues that government entities face," Schless says. "Mobile phishing kits are easy to build or cheap to buy and can be highly customizable for the threat actors using them. Campaigns can take advantage of both device and app vulnerabilities by simply getting the user to tap a link."

Other Threats

Phishing campaigns often evolve to capitalize on current events.

For example, Tom Pendergast, chief learning officer at MediaPRO, a Seattle-based provider of security training, predicts phishing campaigns soon will use themes tied to the SolarWinds supply chain attack.

"The SolarWinds hack, combined with President Biden's heightened focus on cybersecurity, is going to mean that vigilance is high within government agencies. This is a good thing," Pendergast says. "However, experience tells me that cybercriminals will be relentless in their attacks, potentially even using SolarWinds mitigation as a ruse to establish a beachhead. ... New wrinkles in COVID-19 - whether it relates to expanded vaccinations or the 'return to normal' - will be exploited by cybercriminals, who are ever alert to hot button issues and use them to craft phishing lures."

About the Author

Scott Ferguson

Scott Ferguson

Former Managing Editor, GovInfoSecurity, ISMG

Ferguson was the managing editor for the media website at Information Security Media Group. Before joining ISMG, he was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.