Tax scam emails are alive and well as US tax season starts


Many countries have taxation forms with names that have entered the general vocabulary, notably the abbreviations of documents that employers are obliged to provide to their staff to show how much money they were paid – and, most importantly, how much tax was already witheld and paid in on the employee’s behalf.

In the UK, for example, the form name P45 is often used as a synonym for getting fired, given that it’s a final tax summary that you get when you leave a job, willingly or otherwise.

In South Africa, you get an IRP5 at the end of the tax year – an archaic term that we are guessing is short for Inland Revenue/Personal, Form #5, even though the South African tax office hasn’t been called the Inland Revenue for nearly 25 years.

In the USA, the earnings form is a W-2, short for Wages and Tax Statement, Version 2. (It seems that there used to be a form W-1, but it was superseded back in the 1950s.)

Here at Naked Security, we know the names of these forms, amongst numerous others, because they often show up in tax scam emails, presumably to give those messages an air of realism.

Anyway, given that it’s the last week in January, and thus that US tax filing season is about to get underway, we weren’t surprised to receive a tax-related scam email today, and to see the W-2 form mentioned explicitly.

We were, however, intrigued by the “less is more” nature of today’s phishing message: there was no traditional call to action, just a simple request for further information.

Phishing without links

Usually, when we write about tax scams, we’re warning about traditional phishing campaigns where the idea is to trick you into “logging in” to a bogus site where your tax office account details and password get captured by cybercriminals.

Sometimes, the crooks use the high-pressure tactic of warning you that you could get into trouble if you don’t act right away (and who would willingly undertake a tax office audit?); often, however, the scam relies on the lure of a refund, like this one we received via text message a year ago:

But, as regular readers will know, quite a few cybercrime groups are moving away from pure-play “technohacks” these days, such as email scams that rely entirely on you clicking a fake link.

Instead, many cybercriminals are adopting the “human led” approach that has served criminals such as advance fee fraudsters and romance scammers so well over the years.

Ransomware scammers, for example, used to rely heavily on automatically catching out hundreds or thousands of independent victims at a time by spamming out links or attachments that directly unleashed the ransomware and then demanded somewhere from $300 to $1000 from anyone who got hit.

These days, the human-led approach means that although ransomware criminals still rely on scrambling hundreds or thousands of computers in a single attack, there’s rarely any obvious or widespread spam campaign that gives away the attack in advance.


Click-and-drag on the soundwaves below to skip to any point in the podcast.
You can also listen directly on Soundcloud, or read a full transcript of the recording.

These days, ransomware criminals typically break into (or buy their way into) your network very quietly, and then carefully plan for an attack that’s co-ordinated and kicked off manually, at a time to suit the crooks and to disadvantage you.

Similarly, tech support scammers are increasingly relying on persuading you to call them, rather than bombarding the world with spammy links or phishy attachments and then trying to filter out the people or computers that seem to respond.

Many victims are willing to call the scammers back – they often provide a convenient toll-free number, so it doesn’t even cost you anything – because it feels like a low-risk approach.

After all, hackers can’t directly push malware onto your computer or inject an exploit into your browser if you’re just talking to them.

Of course, the crooks use that to their own advantage, often giving you a level of personal attention and hand-holding that you wish you could get from other IT vendors…

…at which point, the criminals don’t need an exploit to run code on your computer, because they’ll helpfully and patiently talk you through doing that job all by yourself: they sneakily trick you into creating a cybersecurity problem for yourself under the guise of fixing one.

A little politeness goes a long way

Today’s tax scammers have done a “let’s ask nicely” job, carefully avoiding links and attachments, and presumably hoping that someone on their mailing list will be willing to reply in the hope of investigating what feels like a new business opportunity:

I actually intend to change cpa for my 2021 tax return, Would like to know if your firm is open to accept new clients for the next tax year, All my documents are completed, all I am yet to have is just my W2.

Kindly advise on how to proceed and if I can send forth all the available documents and whats are your fees for individual returns

Managing Director

(CPA is short for Certified Public Accountant, the US equivalent of what people in many Commonwealth countries refer to as a CA, or Chartered Accountant.)

On one hand, the fact that many scammers are avoiding links and attachment these days suggests that we are, as a digital society, learning to be more cautious before blindly believing in unsolicited websites or files.

On the other hand, we need to remember that engaging with a scammer in any way at all is the first step that any cybercrook wants to you take.

What to do?

Not least because it’s Data Privacy Week this week, and Data Privacy Day on Friday 28 January 2022, always keep in mind our simplest advice when deciding whether to engage with people you don’t already know online:

  • Be aware before you share. Every little bit you give away about yourself makes it easier for a scammer to charm you, threaten you, or entice you into an online relationship you didn’t ask for in the first place.
  • If in doubt, don’t give it out. If it feels like a scam, back yourself and assume that it is.
  • No reply is a often good reply. Never feel compelled to reply out of politeness or completeness. It’s easier to stay out of a wheedler’s clutches if you don’t open the door for a reply-to-your-reply.
  • Listen to friends and family. Especially when money is involved – whether it’s you sending it to a romance scammer who falsely claims to love you, or receiving it from newfound “business associates” who have fraudulently pitched you a “job” in their organisation.

Stay safe online, everyone!

Products You May Like

Articles You May Like

Indiana County Files Disaster Declaration Following Ransomware Attack
Dark Web Malware Logs Expose 3,300 Users Linked to Child Abuse Sites
5 common Ticketmaster scams: How fraudsters steal the show
RADIUS Protocol Vulnerability Exposes Networks to MitM Attacks
Palo Alto Networks Patches Critical Flaw in Expedition Migration Tool

Leave a Reply

Your email address will not be published. Required fields are marked *