Trace Id is missing

Tax season cybersecurity: What cybercriminals want and who they target most. Is it you?

Graphic illustration showing a laptop with tax documents on screen, paper documents flying into a folder marked 'tax'

In today’s threat landscape, phishing attacks, like death and taxes, are inevitable. For financially motivated threat actors, the deadline pressure and frantic exchange of forms and documents that occurs during tax season creates an appealing opportunity to deploy phishing campaigns targeting high-risk data from millions of stressed and distracted individuals and businesses.

Although everyone can be a target of tax-season phishing, certain groups of people are more vulnerable than others. Prime targets include individuals who may be less informed about IRS methods of engagement—Green Card holders, small business owners, new taxpayers under the age of 25, and older taxpayers over 60.

This special tax season threat intelligence report surveys the tactics, techniques, and procedures (TTPs) threat actors use most in the following sections:

  • Microsoft Threat Intelligence uncovers a 2024 tax season phishing campaign, where details of a new tax-season phishing technique using lures masquerading as tax-related documents provided by employers are described.
  • Threat actors impersonate tax payment processors in phishing emails, which describes how Microsoft Threat Intelligence has observed threat actors using third-party federal tax payment processor logos.
  • What cybercriminals want at tax time, where we identify the different types of high-risk data commonly targeted at tax time.
  • How cybercriminals get your data, where we describe the tax season–themed social engineering techniques threat actors use most.
  • Tax season cybersecurity best practices, where we provide best practices and actionable advice for staying vigilant against social engineering attacks.

Microsoft Threat Intelligence has already observed tax season phishing activity, including a campaign from the end of January 2024 using lures masquerading as tax-related documents provided by employers.

The following figures show (1) the phishing email lure, (2) the malicious website, and (3) and the two malicious executables—the malware—from this campaign:

A tax season phishing email observed by Microsoft Threat Intelligence in January 2024.
Figure 1: A phishing email contains an HTML attachment that directs the user to a fake landing page
Screen shot of a malicious website
Figure 2: Users have been directed to a webpage, which the threat actors have made intentionally blurry, a social engineering technique intended to increase the likelihood of a click. Once targets click the “Download Documents” prompt, malware installs on their computer.
Screenshot of a windows file explorer showing two files in the "programs" folder: "deepvau", an application
Figure 3: A malicious executable file with information-stealer capabilities has been dropped on the target’s machine. Once in the environment, it will attempt to collect information including login credentials.

Threat actors impersonate official entities

In other campaigns, Microsoft observed threat actors using images taken from legitimate third-party federal tax payment processor websites in their phishing emails in an effort to appear convincing.

Although these emails look legitimate, taxpayers should be aware that official entities like the IRS do not initiate contact regarding tax returns or tax payments by email, text, or phone calls.

In rare cases, a cybercriminal may use stolen information to conduct tax refund fraud. In this particular scheme, criminals file a tax return in the target’s name and claim a refund.1 This approach, however, has a low probability of success given IRS safeguards. In a more likely outcome, a cybercriminal who accesses your information at tax time will most likely do what a cybercriminal will do at any time of the year—seek out ways to monetize that information. That can include opening a credit card in your name, selling the data or access to another cybercriminal, directly accessing your bank account to initiate a funds transfer, or shopping online.

Below, figures for the (1) phishing email lure and (2) the authentic third-party processor site are presented:

A phishing email with an Authorized IRS header image taken from an authentic third-party payment processor website.
Figure 4: A phishing email uses a header image (Authorized IRS) taken from ACI Payments, Inc., a payment processor listed on the IRS website.
A screen shot of a web page using an Authorized IRS header image taken from an actual website for ACI Payments, Inc
Figure 5: Example of how the authentic “Authorized IRS” image is highlighted on the actual website for ACI Payments, Inc. .

What cybercriminals want at tax time

During tax season, huge amounts of sensitive financial and identity data flows back and forth between individuals and organizations like the IRS and different kinds of tax services providers, like tax filing software or tax preparation brands or local accounting and tax firms to sole proprietors.

Some of the most high-risk data2 includes:

  • Identity: Social security numbers, driver license or state ID, passport details, Employer Identification Numbers (EIN), Centralized Authorization File (CAF) numbers
  • Financial accounts: Financial account numbers, credit and debit card numbers (with or without any required security code)
  • Passwords and access: Email passwords, personal identification numbers (PINs), and access codes

Regarding the general risk from the troves of personal information that can be found in the average person’s personal email inboxes, Microsoft Threat Intelligence cybercrime expert Wes Drone explains, “People can be digital hoarders in their email inboxes, and the information they keep is immensely valuable to criminals.”

This risk isn’t just limited to tax time. Drone points out that the average person’s email account has correspondence and documents from nearly every aspect of their personal life, and tax season is just one of many occasions to try to steal them.

“You name it, it comes to your email address,” Drone explains, “and if a threat actor gets access to your email address, they can reset the passwords for all of your other accounts.”

The risk to individuals can become a risk to businesses as well. According to Drone, if a threat actor gains access to an employee email box, they could install malware within the employer’s environment.

“Now we’re talking about all kinds of possible problems,” Drone says. “A big thing is business email compromise, where they will just start engaging with your suppliers or people that you do business with. They will change numbers on invoices, send fake invoices, and redirect money, and that can be a very expensive endeavor.”

How cybercriminals get your data

While the phishing techniques used by cybercriminals aren’t new, they remain tremendously effective. Regardless of the variations, phishing attacks against individuals during tax season will primarily lead to one of two outcomes: the downloading of infostealers (a type of Trojan malware) or users inputting their credentials into spoofed landing pages. Less commonly, the phishers may be seeking access in order to download ransomware.

Tax-season phishing campaigns try to trick users into believing they represent legitimate sources, like employers and HR personnel, the Internal Revenue Service (IRS), state-level taxation-related organizations, or providers of tax-related services like accountants and tax-preparation services (frequently using large, trusted brands and logos).

Common tactics that cybercriminals use to trick their targets include spoofing the landing pages of genuine services or websites, using URLs that visually appear correct although they are not (homoglyph domains), and customizing phishing links for each user.

Drone explains, “The reason why these tax season phishing campaigns continue to work—and they have been working for years—is that nobody wants to get something from the IRS.” Drone observes that getting tax-related messages can cause anxiety as soon as it hits an inbox.

“Certainly people don’t want to miss out on getting their refund or have the refund stolen from them,” he continues. “Criminals leverage these fears and emotions in their social engineering to spark anxiety, creating a willingness to urgently go click and do what they need to do.”

Although threat actors use a variety of lures featuring different organizations, phishing emails share certain common features.

  • Item A – Branding: A feature designed to lower your defenses. Criminals use branding you recognize and expect to see around this time of year, like that of the IRS or tax preparation companies and services.
  • Item B – Emotional content: The most effective phishing lures are the ones whose messaging heightens emotions. During tax season, criminals prey on hope (You have a large, unexpected refund!) as well as fear (Your refund is on hold, or You have a huge penalty).
  • Item C – Urgency: To a cybercriminal, urgency is what often gets people to act in ways that they otherwise wouldn’t. With urgency, the opposite of what you want to have happen or not happen will occur unless you act before the deadline.
  • Item D – The click: Whether it’s a link, button, or QR code, criminals ultimately want you to click away from your inbox and onto their malicious website.
A laptop displays an example of a phishing email with icons indicating aspects of the image that will be explained in the article.
Figure 6: The lettered call-outs highlight some of the hallmark features of a phishing email lure.

The best defense against cybercriminals, both at tax season and throughout the year, is education and good cyber hygiene. Education means phishing awareness—knowing what phishing attempts look like and what to do when they’re encountered. Good cyber hygiene means implementing basic security measures like multifactor authentication for financial and email accounts.

As Tax Day approaches in the United States on April 15, here are some additional recommendations to help users and defenders stay vigilant against tax-centric threats.

7 ways to protect yourself from phishing

Falling for a phishing attack can lead to leaked confidential information, infected networks, financial demands, corrupted data, or worse, so here’s how to prevent that from happening.3
  • Inspect the sender’s email address. Is everything in order? A misplaced character or unusual spelling could signal a fake.
  • Be wary of emails with generic greetings (“Dear customer,” for example) that ask you to act urgently.
  • Look for verifiable sender contact information. If in doubt, do not reply. Start a new email to respond instead.
  • Never send sensitive information by email. If you must convey private information, use the phone.
  • Think twice about clicking unexpected links, especially if they direct you to sign into your account. To be safe, log in from the official website instead.
  • Avoid opening email attachments from unknown senders or friends who do not usually send you attachments.
  • Install a phishing filter for your email apps and enable the spam filter on your email accounts.

Enable multifactor authentication (MFA)

Want to reduce the likelihood of successful attacks on your accounts? Turn on MFA. Multifactor authentication, as its name suggests, requires two or more factors of verification.

By enabling MFA, even if an attacker gets your username and password, they still won’t be able to gain access to your accounts and personal information. Compromising more than one authentication factor presents a significant challenge for attackers because knowing (or cracking) a password won’t be enough to gain access to a system. With MFA enabled, you can prevent 99.9% of attacks on your accounts.4

Related articles

Basic cyber hygiene prevents 99% of attacks

Basic cyber hygiene remains the best way to defend an organization’s identities, devices, data, apps, infrastructure, and networks against 98% of all cyber threats. Discover practical tips in a comprehensive guide.

Breaking down business email compromise

Digital crimes expert Matt Lundy provides business email compromise examples, breaking down one of the most common and costly forms of cyberattack.

Feeding from the trust economy: social engineering fraud

Explore an evolving digital landscape where trust is both a currency and a vulnerability. Discover the social engineering fraud tactics cyber attackers use most, and review strategies that can help you identify and outmaneuver social engineering threats designed to manipulate human nature.

Follow Microsoft