Skip to main content
Skip to main content
Microsoft Security

Tax-themed phishing and malware attacks proliferate during the tax filing season

  • Microsoft Defender Security Research Team

Modern social engineering attacks use non-portable executable (PE) files like malicious scripts and macro-laced documents. Every month, Windows Defender AV detects non-PE threats on over 10 million machines.

Learn how machine learning drives next-gen protection capabilities and cloud-based, real-time blocking of new and unknown threats:

Machine learning vs. social engineering

Tax-themed scams and social engineering attacks are as certain as (death or) tax itself. Every year we see these attacks, and 2017 is no different.

These attacks circulate year-round as cybercriminals take advantage of the different country and region tax schedules, but they peak in the months leading to U.S. Tax Day in mid-April. The U.S. Internal Revenue Service last week warned of last-minute email scams.

Cybercriminals are using a variety of social engineering tactics related to different scenarios associated with tax filing, in order to get you to click links or open malicious attachments.

Here are some recent examples we’ve seen. The best defense is awareness: no matter what stage you are in your tax filing and wherever you are in the world, don’t fall for these social engineering attacks.

Tax refund: “You are eligible!”

An enticing bait attackers use says that you’re eligible for a refund. We’re seeing several phishing campaigns targeting taxpayers in the United Kingdom, where tax filing season ended in January. These attacks are targeting people who might be waiting for information about their tax refund.

These kinds of phishing emails pretend to come from HM Revenue and Customs, the tax collection body in the UK. These mails vary in how legitimate they appear, but in all cases the attackers want you to click a link in the mail. The link points to a phishing page that will ask for sensitive information.




If your default browser is Microsoft Edge, Microsoft SmartScreen will automatically block access to these phishing sites. Internet Explorer also includes Microsoft SmartScreen.


Tax filed: “Payment has been debited from your account”

Another cybercriminal tactic is to pretend to deliver a receipt for taxes filed. A recent example is a malicious email with the subject “Rs. 73,250 TDS Payment Has Been Debited from your Account”. TDS refers to Tax Deducted at Source, which is the method of collecting tax in India.

The message body says, “Kindly download and view your receipt below attached to this email.” The attachment plays the part and bears the name Income Tax


Inside the .zip is the file Income Tax Receipt.scr, which is really a banking Trojan detected by Windows Defender Antivirus as TrojanSpy:Win32/Bancos.XN.

The payload Trojan is part of a family of keyloggers. When it runs, it logs all keystrokes and sends these to an attacker. From the keystrokes, an attacker can then collect sensitive info like user names and passwords for online banking, email, social media, and other online accounts.

SHA1: 89c5248a989c79fdff943c7c896aeaee4175730d

Tax overdue: “Info on your debt and overdue payments”

Some tactics are more threatening. One example accuses the recipient of having overdue tax.

This threat can cause the recipient to panic and click a link in the email without thinking things through. We monitored an attack that targets taxpayers in the US and accused recipients of overdue tax and that action needed to be taken immediately. The link in the email is, of course, a phishing page.


Again, Microsoft SmartScreen blocks access to this phishing page.

Tax evasion: “Subpoena from IRS”

Some attacks use fear as bait. One such bait tells recipients that there’s pending law enforcement action against them. We saw an example of this sent to U.S. taxpayers. It pretends to contain information about a subpoena, asking “What should we do regarding the subpoena from IRS?”


The attachment is a document file that Microsoft Word opens in Protected View. The attackers expected this, so the document contains an instruction to Enable Editing.


If Enable Editing is clicked, malicious macros in the document download a malware detected as TrojanDownloader:Win32/Zdowbot.C.

Zdowbot is a family of Trojan downloaders. They connect to a remote host and wait for commands. In addition to downloading and installing other malware, they can send information about your PC to a remote attacker.


Tax preparation: “I need a CPA”

Some attacks are relevant during the early part of the tax filing process. We saw an attack this year that targets accountants in the U.S., given the timing and the information in the email referencing the IRS.

The attack pretends to be coming from somebody seeking the services of a CPA. It includes an attachment named tax-infor.doc.


The attachment is a document with malicious macro code. Macros should be disabled by default (as is the best practice). When the attachment opens, Microsoft Word issues a warning. To encourage you to enable macros, the document displays a fake message box that says “Please enable Editing and Content to see this document”. The fake message box is designed to look like it’s part of Microsoft Word, but it’s really part of the document itself.


If you fall for the ruse and enable macros, then the malicious macro downloads the malware TrojanSpy:MSIL/Omaneat from hxxp://193[.]150[.]13[.]140/1.exe.

Omaneat is a family of info-stealing malware. These threats can log keystrokes, monitor the applications you open, and track your web browsing history.

SHA1: ffc06b87eed545df632b61b2a32ef36216eb697d

How to stay safe from social engineering attacks

Tax-themed malware and phishing attacks highlight an important truth: most cybercrime is after your hard-earned money.

But these attacks rely on social engineering tactics — you can detect them if you know what to look for. Be aware, be savvy, and be cautious in opening suspicious emails. Even if the emails came from someone you know, be wary about opening the attachment or click on links. Some malicious emails may be spoofing the sender.

The built-in security technologies in Windows 10 can help protect you from these attacks. Keep your computers up-to-date.

Enable Windows Defender Antivirus to detect malware that arrive via email messages using tax filing as bait. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.

Practice safe browsing habits. We recommend Microsoft Edge. It blocks known phishing and other malicious sites using Microsoft SmartScreen.

As the examples show, phishing and malware attacks target both professional and individual taxpayers. On March 17, a government contractor fell victim to a W-2 phishing scam, resulting in the exposure of current and former employees’ sensitive information.

Additional protection is available for businesses running Windows 10 and Office products.

Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as social engineering emails that carry malware or phishing links.

Use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run.

IT administrators can use Group Policy in Office 2016 to block known malicious macros, such as the documents used in these social engineering attacks, from running

Windows Defender Advanced Threat Protection (Windows Defender ATP) enables enterprises to detect breach activity early and respond fast. To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free trial.

For more information, download and read this Microsoft e-book on preventing social engineering attacks, especially in enterprise environments.


Jeong Mun and Francis Tan Seng





Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.