Tax Season Attacks – Part 2, Phishing

Tax Season Attacks – Part 2, Phishing

Tax season is officially upon us, and with it brings out a host of scams against taxpayers. In this blog series we explore three specific attacks: phishing, shoulder surfing and dumpster diving. Read part one for a high level synopsis of each type of attack.


In this post we examine phishing scams featuring attackers trying to impersonate the Internal Revenue Service (IRS).


The Attack


The tax season brings phishing emails crafted specifically to attract all those who file their taxes online. Phishing scammers send emails claiming to be from either the IRS or well-known tax preparation companies, offering links as click bait. These links lead to attacker-controlled websites that ask for personal information, filing status, ordering transcripts and verifying PIN information. The IRS has renewed their consumer alert for e-mail related schemes after seeing a 400 percent surge in malware and phishing attacks this tax season.


The IRS does not initiate conversations by email due to disclosure requirements. This is true in all situations – in tax returns as well as for audits. Attackers gamble that targets do not know this about the IRS, and create legitimate-looking emails and web pages, using IRS marks and terminology, in order to entice them to enter personally identifying information as well as financial information.




User awareness is paramount for preventing tax phishing attacks. User education is a process – and seminars or informational documents for security awareness that are released near tax season should provide information specifically targeted toward tax-related scams.  Tax-themed phishing scams are common. You should be aware that the IRS does not initiate communications via email, and that they do not link to websites that directly request payment information via email. General phishing prevention best practices also apply here, including not clicking on links or downloading any attachments from unknown or suspicious emails. If you are aware of what to look out for, you will be less likely to fall for something specific that you know to be a scam. In addition, employers should also educate users on internal procedures for reporting phishing scams, in case attackers target employees at their business addresses.


In addition to user awareness, technical protections against phishing and malware can also help thwart tax-related scams. You should always use security software with firewall and anti-virus protections enabled and updated when filing your taxes. You should only prepare taxes on machines on which the operating system and all end-user software have been fully patched. In case a phishing attacker attaches a malicious document or includes an exploit on a destination website, these measures can mitigate the damage.


From a corporate perspective, content filtering can help prevent employees from being attacked by tax scammers at work. Consider a policy of default-deny for all unknown web domains. That way, since many phishing domains are new and untested from a perspective of content filtering solutions, access to those phishing domains can be blocked before users have a chance to surrender their personal information to attackers.

Continue to part three: shoulder surfing.

Nicolle Neulist
Intelligence Analyst
Nicolle Neulist is an intelligence analyst within Optiv’s Global Threat Intelligence Center (gTIC). The Global Threat Intelligence Center is comprised of cyber threat intelligence specialists within Optiv’s managed security services that specialize in providing our clients with proactive intelligence support around current and emerging threats.