Security Awareness: 4 Tax Scams Making the Rounds Now

With the arrival of the month of April, the United States is heavily into tax season now. And with only days remaining until the April 15 deadline to file, tax-related scams are also pervasive this time of year.

Email security firm Proofpoint notes in a blog post on tax-themed scams that its researchers always observe a seasonal uptick in tax-related malware and phishing campaigns leading up to the annual tax-filing deadlines. This year is no different.

AWS Builder Community Hub

“With tax season again upon us, we have seen a similar bump in tax-related campaigns both in the US and internationally. Malware payloads generally reflected the mix in the broader landscape, with a focus on RATs, downloaders and banking Trojans, while common phishing emails remained pervasive,” researchers said in the post.

Educate your users about what to look out for in the coming weeks. These are some of the common tax scam tactics and hooks currently being used as lures.

‘Your Tax Return Needs Attention’

In an example provided by Proofpoint, a tax-themed lure uses legitimate privacy language to convince victims to open a spreadsheet with malicious macros that install The Trick—a banking trojan—when they are enabled.

The message says, “It has come to our attention that your 2018 tax return has not been properly filed and needs attention. Attached is a copy of the return. Kindly download and review immediately.”

Another angle on this ploy is to attempt to scare recipients by claiming the IRS is reaching out to attempt to collect an outstanding tax debt.

End users should be reminded that the IRS will never initiate contact over email to address issues with tax returns or outstanding taxes owed. Any email that claims to be from the IRS seeking money or personal information is a scam.

‘Please See the Attached Documents for Tax Preparation’

If your business is accounting or business services, this is a particularly nasty ruse to be on watch for in the next few weeks. Proofpoint found some businesses that offer tax prep and accounting services are being targeted by social-engineering messages that appear to be from a potential client seeking services. The messages have malicious attachments, including retouched fake W2s and other supporting fake documents. When opened, and the content enabled, macros in the attached Microsoft Word documents download and install malware.

‘File Your Taxes Online!’

Thousands of people file their taxes online annually, and online scammers know this. They have set up fake sites designed to look like popular accounting tools such as QuickBooks. An article on Wired dug into the recent research of cybersecurity firm Lookout, which uncovered more than 100 websites registered in recent months that seek to fool people who want to file their taxes online.

“Lookout discovered that tax scammers start early: Dozens of these websites were created in December, right around the time people begin receiving their W-2 forms,” noted the article. “Many of the domains appear designed to steal login credentials or personal information like passport numbers. Other varieties coax people to download malicious software.”

The sites use domain names that look very similar to the legitimate sites, such as “” Once on, users are prompted to enter username and password information, unaware they are on a fake site. Their login information and is stolen by the scammers to access the real sites, which contain plenty of valuable, sensitive information on taxpayers.

‘This is the Taxpayer Advocate Service’

A new phone scam making headlines this month involves criminals impersonating employees who work in an independent organization within the IRS called the Taxpayer Advocate Service (TAS).

Scammers make the calls and claim to be from TAS. Spoofed telephone numbers allow them to appear to be calling from IRS offices in Texas and New York. The victim is asked to provide personal information, including Social Security numbers or individual taxpayer identification numbers (ITIN).

Beware of Bogus IRS Agents

The IRS provides plenty of education and information about common tax scams on its own site.  The agency will never call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Most IRS correspondence is done through regular mail. Warn employees about these common tricks and help them keep their sensitive information, and your corporate network and information, safe from compromise.

Joan Goodchild

Avatar photo

Joan Goodchild

Joan is a veteran journalist, editor and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online.

joan-goodchild has 37 posts and counting.See all posts by joan-goodchild