Chet Wisniewski, Principal Research Scientist at Sophos

Tax season can be a stressful time,without adding cyberattacks to the mix – and unfortunately, cybercriminals know this.

At SophosLabs, we’ve seen a significant rise in cybercriminals taking advantage of tax seasons around the world. Disguised as a government tax official, these crooks use online scams in a relatively simple way to dupe unsuspecting businesses and consumers alike into emptying their wallets.

Many of these scams have been built upon the recent ‘CEO scams’. With these attacks, cybercriminals impersonate a ‘CEO in crisis’ and send emails to payroll departments or other employees asking for sensitive information that must be acted upon quickly to reduce the chance of verification. Snapchat recently fell victim to this when its payroll department were duped by a fake email purportedly from CEO Evan Spiegel. Unfortunately, payroll information of some employees, both past and present, was compromised. Snapchat was able to respond quickly however, and reported the incident to the FBI, alongside notifying those affected and offering victims two years of free identity theft insurance and monitoring.

Snapchat isn’t alone. Companies and consumers across Canada, France, the UK and Australia have been on the receiving end of similar CEO scams, and now cybercriminals are capitalising on the same kind of trick in the context of one of life’s unpleasant certainties – taxes.  Payroll staff, HR specialists, and even regular taxpayers have been receiving emails pretending to be from a government tax department, stating that either there is an issue with a tax refund, or that urgent information is required to process their tax return.

Not only has this tactic spread across the corporate world into a multitude of sectors, but fraudsters are also using advanced social-engineering tactics to target SMEs, self-employed workers, and consumers, using the tax hook to scam people out of their valuable banking information, and thousands of pounds. This is especially troubling for smaller businesses, as they may not have a dedicated finance or cybersecurity team who would be on the lookout for such threats. The crooks know this and are preying on our vulnerabilities.

Tax-related attacks have recently been witnessed in the UK with cyber crooks claiming to be from the DVLA (Driver and Vehicle Licensing Agency) offering unclaimed car tax refunds of a few hundred pounds. The email comes along with an official logo, and most worryingly, a ‘not spam’ marker urging recipients to mark the email as from a trusted source.

Thee mails fool users into clicking a link that will take them to a phishing webpage which asks for valuable personal information– including bank or credit card details, addresses and names.

Cybercriminals are stealthy and smart – they keep tabs on tax deadlines around the world. The start of the UK tax year has come and gone, but the next tailored attack is likely just around the corner. Emails are tempting to open as they look legitimate, often appearing to come from official government email addresses. These scary, yet clever, tactics are used to steal money from you, your employer, or your business, or to gather sensitive company and/or personal information to sell on the dark web.

Phishing Season

Today’s cybercriminals use sophisticated social engineering (or as my Mum would call it, lying)and phishing tactics to gain access to sensitive data. The smartest cybercriminals know how to make an email look like the real deal, with official logos, specially crafted and tailor-made email addresses, and intricate details of the business or recipient that can trick almost anyone into truly believing the scam is genuine.

Criminals are specialising in each step of the scam, leading to greater expertise and success. Making emails ‘look’ the real deal is only the first step. The second step is tapping into human emotion. Crooks are increasingly playing on this and recipient curiosity to get the data they want – and nothing can send worry or fear through a person quicker than an email surrounding their taxes.The thieves may have high-level technical skills, but in this situation their main weapon is manipulation–they use sheer trickery rather than skilful coding to con individuals into granting them access to data.

‘Spear-phishing’ is one of the most common tactics of manipulation, using carefully curated emails – like the CEO scam – that an employee would expect to receive from a superior or colleague in the organisation. The communications are bogus, tempting you by tapping into your relationship of trust with your boss or colleague, and conning you into handing over personal or professional data, money, or tricking you into opening an infected document.

Email tax scams, while less specific, are based on the same principle. They pretend to come from respected government tax departments such as HMRC or ATO (Australian Tax Office) – and will look something like this:


These official looking emails are easily mistaken as the real thing by even a trained eye.It has long been assumed that these type of attacks are really only a danger for large enterprises, where sensitive and confidential information can reap huge monetary gains. However, the bad guys are willing to spend substantial amounts of time carefully curating these types of attacks, to sneak even a small amount of cash or sensitive information out of any unsuspecting victims, including you and I. It is simply a game of numbers and we all have something worth stealing.

One Threat in Many Ways

SophosLabs has seen tax scams in many different countries, including Canada, the UK and France. The scams are almost identical in style and execution, however they are cleverly tailored to national norms. Regardless of country, the emails have a similar focus – overdue taxes or refund money owed. While they have you on the hook, why not ask for as much personal information as possible to better enable future crime and profit?

The level of customisatio nwe are witnessing between countries is incredibly clever. SophosLabs has seen such specific differences between countries, it seems as though they are hiring professional translators to ensure the scams are as believable as possible. Tell-tale signs of misspellings and incorrect logos are a thing of the past –criminals are even tailoring the banking details, with correct information for Interac debit cards for Canadian victims and MasterCard details for American targets.

With increasing frequency, in 2017 we’ve also seen malicious document attachments that will deliver ransomware. Ransomware is a type of malware that is commonly introduced onto a device via a malicious attachment, which once opened, will lock and encrypt your files until a ‘ransom’ is paid to the cyber crooks for the decryption key. A warning message is displayed that will give the user exact instructions how to pay the ransom to retrieve their files – but even once paid there really is never a guarantee that your precious documents will be returned. Many emails claim to come from government officials with an attachment in tow requesting urgent tax information, which once opened, will execute the ransomware. Once executed, it is difficult to remediate unless you have a backup in tow.

Attacks aren’t just reserved for Macs and PCs – they can happen on your mobile too. Thanks to payment apps and mobile banking, our phones double as both our wallet and our bank. The separation between work and play has blurred thanks to mobile email access. If a worker in an HR department, a small business or self-employed worker, or even a consumer, receives a tax scam email, they can use their banking apps or ApplePay to quickly remediate the so-called ‘problem’.

The level of sophistication of attacks has risen dramatically over the past few years – and we shouldn’t expect to see a drop in the complexity or frequency of tax scams anytime soon.

Top Tips to Tax Smarter

Tax scams aren’t just reserved for tax season – it is important to stay vigilant against scams all year round. To protect yourself against tax scams, remember that:

  • Your government’s tax bureau will never ask for your bank account details or other personal information related to tax via email.
  • If you work in the Human Resources or Finance department of your company, you should be on the lookout for any new varieties of scam targeting employees. Always verify requests for personal information or changes to financial accounts.
  • Beware of documents containing macros. Sophos has seen an increase in topical issues, like filing taxes, being used to infect victims with ransomware through booby-trapped Word and PDF documents.
  • If you do receive an email from your country’s tax bureau, don’t respond. Instead, contact them directly to check whether the email is genuine.

Leave A Reply

Your email address will not be published.