With the IRS deadline only weeks away, businesses and individuals are racing to get their taxes filed, and bad actors are doing what they can to keep pace with them.

Both Microsoft and Malwarebytes in recent days have outlined various scams being used to steal sensitive information, drop malicious payloads, or make payments to fake services and other cybersecurity firms as well as government agencies and financial services organizations also are sending out warnings.

Techniques range from phishing or other fraudulent messaging schemes – including sending messages made to look like they were coming from the IRS – to malicious advertising.

“Although everyone is susceptible to tax-season phishing, we have noted that certain groups of people are more vulnerable than others,” Sherrod DeGrippo, director of threat intelligence strategy at Microsoft, wrote in a blog post. “Prime targets include individuals who may be less informed about government tax procedures and methods – green card holders, small business owners, new taxpayers under the age of 25, and older taxpayers over 60.”

Fake Tax-Related Documents

DeGrippo wrote that at Microsoft threat intelligence analysts saw a threat actor’s campaign that used fraudulent tax-related documents that supposedly were provided by employers as lures in phishing emails.

The message included an HTML attachment directing the target to a fake landing page, which hosted malicious code. If the victim clicked on the “download documents” prompt, malware was installed on their computer.

“The malicious executable file dropped on the target’s machine had information stealer capabilities,” he wrote. “Once in the environment, it attempted to collect information including login credentials.”

Impersonating the IRS

Malwarebytes researchers recently detected a scam that likely lures targets via email with a message to go to what appears to be an IRS website, where they can apply for an Employee Identification Number (EIN), a federal tax ID number used by a range of employers, sole proprietors, corporations, and other business organizations.

“Given the flow of the scam, it’s very likely that the targets are self-employed and/or small business (SMB) owners,” Pieter Arntz, an intelligence researcher with Malwarebytes, wrote in a report. “It’s possible that the phisher has obtained or bought a collection of email addresses from a data broker that fit a certain profile (for example, self-employed US residents).”

It’s an easy scam to spin up, with the bad actor needing little information. Email addresses can be bought on the dark web or through legal data brokers, according to Shahak Shalev, senior director of technology and engineering and consumer privacy at Malwarebytes.

“I don’t think one would have to go to the dark web to get information like this as there are regular companies selling this information,” Shalev said. “They would probably qualify it as ‘lead generation.’ According to our sources, pricing for one million self-employed US citizens usually goes for $1USD per contact, but for such a large amount it would probably be $0.1 per contact.”

The aim of the attack is to steal personal information, such as Social Security numbers, which could lead to further identity theft and fraud.

Arntz also noted that the scammers also charge the victim $289 to $399 for the tax ID number, even through it’s a free service from the IRS.

Scammers are Looking for Information

Trend Micro researchers earlier this month outlined a number of scams threat actors run while impersonating the IRS, sending messages telling targets they need to confirm personal details to receive a tax refund, can reduce taxes through their Offer in Compromise program, are eligible for the agency’s tax assistance program, or owe taxes and to complete the payment to avoid penalties.

“Impersonating the IRS and under various pretenses, scammers try their best to trick you into revealing your personal information, such as your home address, date of birth, and Individual Tax ID Number (ITIN), with which they can file a bogus tax return on your behalf and deposit the refund into THEIR account,” they wrote.

Tax season, like other big events that happen throughout the year, draws a lot of attention from cybercriminals. Proofpoint in January noted the return of the threat group TA576, which consistently uses tax-themed lures in its social engineering campaigns to deliver remote access trojans (RATs) to organizations in North America that can steal information, deliver malicious payloads, or enable lateral movement through a company’s network.

The IRS said that through May 2023, 2.4 million returns were flagged for potential identity theft, with fraudulent refunds adding up to $13.8 billion, and has a list of almost a dozen tax scams aimed at business and individual taxpayers.

Tax Pros Also are Targets

At the same time, the agency in January also warned tax professionals about tax filing-related schemes where bad actors pose as potential clients seeking help with their taxes in hopes of grabbing sensitive information or gaining access to the data of the tax pros’ clients.

The cybersecurity firms offer a laundry list of ways that businesses and individuals can protect themselves against scams, from inspecting the address of an email and looking for verifiable contact information from the sender to creating hard-to-crack passwords and not clicking on links or attachments.

“Remember: The IRS doesn’t ask taxpayers for personal or financial information over email, text messages, or social media channels,” Malwarebytes’ Arntz wrote. “This includes requests for PINs, passwords or similar access information for credit cards, banks, or other financial accounts.”