Schellman & Co Threat & Vulnerability Assessment Manager Josh Tomkiel discusses the lengths phishers will go to when trying to lure people to fraudulent websites during tax season. Read the full article below or in its entirety on the Communications of the ACM website.
Written by David Geer
Every year, January through April, the taxman cometh; not far behind is the tax fraud phishing scammer, seeking to lure people into taking the hook buried deep in their well-mimicked emails.
"We're the I.R.S.," or so the email states, and "you must pay now" or do something drastic right this instant, which the real Internal Revenue Service would never ask. When people comply with the scammer's requests, the fraudsters can steal their identity, money, or both.
Yet taxpaying citizens and business people alike who know the signs of email-borne tax fraud can steer clear of it and its ill effects.
There was a seasonal increase in tax-themed phishing emails in 2019, according to Sunnyvale, CA-based cybersecurity firm Proofpoint. None of our sources expect the problem to be any less challenging this year.
Many tax-time phishing emails try to scam taxpayers by leveraging the faith people have in web domain names associated with paying their taxes. Examples of tax-related domains include IRS.gov and e-file.com. Attackers can spoof email from domains where the Domain-based Message Authentication, Reporting & Conformance (DMARC) setting, which is part of the domain name's DNS record, is misconfigured, according to Josh Tomkiel, Threat & Vulnerability Assessment Manager of Tampa, FL-based compliance services firm Schellman & Company, LLC.
While the IRS.gov Web domain is not vulnerable to spoofing through a misconfigured DMARC setting, domains such as e-file.com are currently exposed. There are many tax-related domains that attackers could spoof, according to Tomkiel.
Fraudsters can purchase domains that are similar to IRS.gov, and set up websites that are doppelgangers for the real deal, complete with an IRS logo. When victims load the convincing website from the email link, they may even arrive to a green padlock in the URL that connotes an HTTP over TLS certificate, which is supposed to confirm a secure connection. "But services such as LetsEncrypt offer free TLS (HTTPS) certificates, which malicious actors can use to make their phishing site look trustworthy," explains Tomkiel.
Phishers want taxpayers' refund money. "The emails may say that you must immediately file your taxes via e-File, using a link to a website that looks like the real IRS website," says Kayne McGladrey, a member of IEEE and director of security and IT at Seattle-based product design and engineering firm Pensar Development; "Then the fraudsters file taxes on your behalf, but with a different mailing address for the refund check."
"Not every tax-time phishing scam fits the stereotype"
Not every tax-time phishing scam fits the stereotype of the lone taxpayer clicking bogus IRS emails loaded with beguiling links; some attacks are spear-phishing, which target people or departments in large companies. Cybercriminals use Business Email Compromise (BEC) attacks to target and trick office staff into forwarding W-2 forms out of the enterprise, then use the information on the forms to file fraudulent tax returns and route any refunds to themselves.
Criminal hackers use BEC attacks to impersonate executives who have the authority to make such requests. The fraudulent emails can contain social references to the relationship between the superior who supposedly sent the email and the subordinate who received it. Attackers could easily infer social references from social media posts and exchanges.
"For example, the bogus email might say something like this: 'Hey, Cindy, I saw your pictures on Facebook this weekend. Looks like you had so much fun. Hey, would you mind sending me all the employees W2's in a PDF file?'" according to Stefanie Wood Ellis, an antifraud product manager at OpSec Security in Meridien, ID. These references establish a plausible proof of identity, leading the recipient to let their guard down. BEC attacks stress urgency in the hope the employee won't question the request any further.
BEC attacks spoof the executive's email address and mimic their writing style, which attackers can learn by reading emails they sent. So, when "Cindy" in payroll receives the request for the W-2s from someone who appears to be her CFO, all the right forces are in play to elicit the compromise of those tax forms.
"Be wary of any email that asks you to take immediate action on anything"
Taxpayers can recognize and avoid email phishing scams. Cybercriminals who use social engineering ploys such as phishing emails commonly instill urgency to get people to act before they have time to think about it. "Be wary of any email that asks you to take immediate action on anything," says Tomkiel.
According to the IRS, that agency does not initiate contact with taxpayers via email, text messaging, or social media sites and channels to request personal or financial data; the IRS does not ask for PINs, passwords, or similar access information for credit cards, banks, or other financial accounts.
Employees and staff at corporations should question suspicious email requests. Forward emails to the supposed sender's correct email address rather than hit reply; ask them whether they sent the email, according to Ellis.
Potential victims of tax-time phishing can report attacks by forwarding suspect emails to firstname.lastname@example.org.
About the AuthorMore Content by Josh Tomkiel