Tax Season Email Campaign Scammers on the Rise Again

By Bill Toulas / April 4, 2019

With the “April rush” in the United States approaching (April 15), tax email scamming campaigns are at it again, targeting benign citizens who are tricked into believing that the IRS (Internal Revenue Service) are contacting them. As reported by Proofpoint researchers who have taken a closer look at how these phishing campaigns operate, there’s an increasing level in their sophistication with every year that passes. Scammers learn what works and what doesn’t, employ more penetrating social engineering methods, and use banking Trojans and ransomware to acquire everything they need from their victims.

Although the US is one of the target markets of these scammers, their operation is international really. From September 2018 and all the way to today, Proofpoint has detected multiple campaigns using the “NetWire” malware, the “Trick” Trojan, and the Ave Maria document macro RAT in Australia, Canada, US, New Zealand, France, and Singapore. That said, tax scamming email campaigns have a global reach, and you should beware of the dangers wherever you may be. Besides the required localization that is apparent in the following screenshots, these campaigns follow common methods and characteristics that make them effective, and at the same time distinguishable.


image source:


image source:


image source:

First, the emails that reach the tax-payers are all characterized by a sense of urgency. Typical examples include requests to update wrongfully filled out forms that are soon to face a fine, emergency tax incentive billings, notice of outstanding income tax demand, and more. Most of these messages come with malicious attachments in the form of document files that contain malware-installing macros.


image source:

The actors are usually spoofing the email addresses of the legitimate revenue departments and send many thousands of these messages. Inside the documents, the recipients find the real branding of the tax services, convincing graphs, and other make-believe elements. In several cases, the actors preferred to add the malware-downloading links on the email message content instead of using document macros, and the latter method requires the enablement of the running of macros in the victim’s office suite, which is not always the case.

In regards to the phishing part, the scammers are directing tax-payers to URLs of spoofed websites that are made to look exactly like the real tax authority website. Victims are tricked into believing they are about to access their tax profile and enter their login credentials on the spoofed form, thus sending their sensitive information to the scammers.


image source:


image source:

From simple login webpages to fully-fledged personal information forms, everything is included in these campaigns, and many thousands are hooked to the bait each year. Pay attention to the URLs you are landing on, don’t open documents that are sent to you unsolicited, don’t enable macros in your office suite, and above all, stay calm. Also, don't forget to check our interview with Asaf Cidon, who talks about the dangers of tax season.

Have you ever fallen victim of taxpaying phishing campaigns? Share your experience with the rest in the comments section below, and help us warn more people by sharing this post through our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: