IRS and COVID vaccine email scams proliferating this tax season

Ferrone & Associates CPAsBlog

Security experts are seeing a rise this tax season in phishing schemes and malware tied to hot-button subjects like tax refunds, stimulus payments and COVID-19 vaccines.

The Internal Revenue Service recently warned about an ongoing IRS-impersonation scam that mainly targets educational institutions, including students and staff who have “.edu” email addresses. The emails show the IRS logo and use subject lines such as “Tax Refund Payment” or “Recalculation of your tax refund payment.” It then asks people to click a link and submit a form to claim their refund where they are asked for personal information such as their Social Security number. The Treasury Department’s Financial Crimes Enforcement Network has also warned this tax season about phishing emails tied to Economic Impact Payments and COVID-19 (see story).

Tax season scams have become routine over the years, but the cybercriminals have become more sophisticated and often try to make their emails seem to come from the IRS itself, or in some cases from legitimate accounting and tax preparation firms. While many of them originate in the U.S., there are also scams coming from organized crime groups abroad using malware that can take over a victim’s computer.

“We see a lot of lures with IRS branding,” said Sherrod DeGrippo, senior director of threat research and detection for Proofpoint, an email security company. “We’re seeing the branding of the IRS used, as well as general mentions of the IRS.”

The cybersecurity company McAfee is also warning about the perennial tax season scams. This year, it’s seeing scams related to Economic Impact Payments, as well as other common tactics such as email phishing.

“Tax season is one of the most important times to practice digital wellness,” said McAfee executive vice president Terry Hicks. “As we embrace the convenience of living our lives online, it makes sense to take a few steps to protect ourselves. It’s better to prevent a problem than to be in the position of fixing one. Just like eating well and exercising can help keep us out of the doctor’s office, digital wellness practices can keep hackers at bay.”

Last year, the IRS identified $2.3 billion in tax fraud schemes, and McAfee predicts that number could grow this year, especially as more consumers file their taxes online. The company is warning taxpayers to beware of emails or phone calls from anyone claiming to be from the IRS, as the IRS only uses “snail mail” to contact taxpayers about problems.

Another security company, Cybereason, has been seeing a rise in other forms of malware this year with names like Netwire and Remcos, described in a recent blog post. The malware gives cybercriminals remote access to a victim’s computer, and the cybercriminals are leveraging tax season and topical subjects to lure victims. The malicious messages can evade traditional antivirus software, using cloud services such as “imgur” to store the Netwire and Remcos malware, hidden inside image files that are hosted on public cloud services, making them difficult to detect. “As a part of the infection process, a legitimate OpenVPN client is downloaded and executed then sideloads a malicious DLL that drops NetWire/Remcos,” warned Cybereason.

“Attackers use stories in the news to influence targets to click links in phishing attacks,” said Lamar Bailey, senior director of security research at the cybersecurity company Tripwire. “2020 was the year of COVID and attackers took full advantage by crafting phishing attacks based around the epidemic. They were able to play off the ever-changing story to promote cures, treatments and case numbers to get targets to click malicious links. The trend continues into 2021 by using COVID vaccines as the top story to promote the malicious links. This time of year in the US using phishing emails that appear to originate from the IRS is a very effective way to spread malware.”

The Treasury Inspector General of Tax Administration recently urged taxpayers and tax professionals to beware of the scams. TIGTA’s Office of Investigations warned that criminals are engaging in various scams and schemes in attempts to intercept Economic Impact Payments. Criminals may also try to steal sensitive taxpayer information as the pandemic enters its second year. “In these troubled times, crooks and scammers will try to defraud taxpayers in every way possible,” TIGTA Inspector General J. Russell George said in a statement during National Consumer Protection Week last month. “Taxpayers need to be especially vigilant when contacted by individuals claiming to be from the IRS.”

The National Cyber Security Alliance partnered with the IRS to create a tip sheet offering some best practices for data safety while filing taxes, such as preparing devices, safely sharing personally identifiable information, phishing red flags, safely working with tax preparers and more.

Another form of malware that’s been used by the cybercriminals in the IRS fake emails is called Zloader. “Once you get Zloader on your machine, it can then communicate in the background to download next-stage payloads and steal all kinds of information or put other malicious software onto your machine,” said DeGrippo.

Her team at Proofpoint saw various kinds of subject lines for that phishing email. One of them said, “Greetings. Have your accountants received any updates from the Internal Revenue Service? Their new corporate policies affect several of the agreements in our establishment. You must check the new taxation rules. They can be found in the attached file.”

The attached file was a malicious Word document. “When you open it, it will communicate in the background and download that Zloader malware,” said DeGrippo.

In addition to malware, her team often sees domains registered to try to trick people into thinking that they are accounting firms, tax preparation firms or the IRS itself. “It will be or something like that, and you’ll click on it and it will take you to either credential phish or malware,” said DeGrippo.

Phishing emails from sites purporting to be the IRS and with the IRS logo might say something like, “The IRS is going to put your money directly in your bank account. Put your bank details here.”

“I’ve gotten about 1,000 malicious domains that leverage the concept of tax, tax banking, tax refund and tax refund relief in the past two weeks,” said DeGrippo when interviewed in March.

Proofpoint acts as an email gateway for its customers so it’s able to check their email as it passes through their servers, allowing the company to examine emails that can be potentially malicious before they reach customers. “Every domain, every attachment, every URL we inspect those ourselves to see if they’re good or bad, and if it’s bad, of course we don’t let that email go through,” said DeGrippo. “But we do collect all the bad information to look through and see what’s bad about it and what it’s doing. We create threat intelligence out of that. This year we are tracking about 15 separate campaigns that are using IRS logos.”

Both consumers and professionals could find themselves the target of such emails. “We see a lot of targeting of corporate accountants, controllers, anybody in those financial positions at a corporate level,” said DeGrippo. “Obviously the consumer is there, but a lot of the specific targets are going to be around those executives that are in financial controls, accounting, governance, risk and compliance, anybody who actually has to do 10-K filings. Any of those kinds of people are targets. If you’re an SEC 10-K filer, you’re a big target.” 

For more information visit: