Most professionals are aware of the April 15 tax deadline. We know that fraudsters certainly are! As Tax Day approaches in the U.S., we encourage all to be mindful of several phishing campaigns that Microsoft has observed using tax-related themes for social engineering to steal credentials and deploy malware. These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate file-hosting services (Dropbox, OneDrive…etc.) and business profile pages to avoid detection.
Every tax season, threat actors use various social engineering techniques to steal personal and financial information, which can result in identity theft and monetary loss. These threat actors craft campaigns that mislead taxpayers into revealing sensitive information, making payments to fake services, or installing malicious payloads.
Remember, the IRS does not initiate contact with taxpayers by email, text messages, or social media to request personal or financial information.
What’s Happening? Starting in early February 2025, Microsoft began detecting tax and IRS-themed phishing campaigns. Some campaigns deployed information-stealing malware, while other campaigns attempted to collect user credentials and screenshots from compromised devices.
Notably, on February 6, Microsoft observed a phishing campaign that involved several thousand emails targeting the United States. The campaign used tax-themed emails that attempted to deliver malware.
The campaign used the following email subjects:
- Notice: IRS Has Flagged Issues with Your Tax Filing
- Unusual Activity Detected in Your IRS Filing
- Important Action Required: IRS Audit
The campaign used the following PDF attachments:
- lrs_Verification_Form_1773.pdf
- lrs_Verification_Form_2182.pdf
- lrs_Verification_Form_222.pdf
The emails contained a PDF attachment with an embedded double-click URL that redirected users to a URL-shortening link. That link then redirected the browser to a landing site that displayed a fake DocuSign page hosted on a domain masquerading as DocuSign.
All should remain vigilant. Awareness and caution are crucial in protection from these threats. Be cautious of any unexpected emails, especially those requesting sensitive information or urging immediate action. It is a busy time of year, especially for tax professionals, but take the extra steps to steer clear of cybercrime.