Beware of Fraudsters as Tax Day Nears

As millions of Americans rush to file their tax returns by the April 18 deadline, opportunistic hackers are rushing to attack.

tax fraud

Tax filing-related fraud schemes are on the rise this year, with attackers making use of all manner of download, email and phone scams in an attempt to defraud taxpayers.

The Internal Revenue Service has been warning taxpayers since February of a 400 percent rise in phishing and malware incidents this tax season. It's a trend that multiple security vendors have also observed, with attackers ramping up their efforts as tax day, which is April 18 this year, nears.

Deepen Desai, head of security research at Zscaler, said his firm has observed a significant upward trend in tax-related schemes over the past three months.

"In that time, we've seen roughly a 300 percent increase in tax-related events," Desai told eWEEK. "The sharpest jump in activity actually occurred this week, with a 400 percent increase compared to the previous week."

Among the different types of tax scams that Zscaler has seen are ones that involve some form of fake download page for tax software, including for the popular TurboTax application. In some cases, the fake TurboTax was merely a scheme to get users to click on more links and download other software, though there is some malicious potential.

While running antivirus software can help detect bogus tax applications, that's not always enough. Desai noted that "bundleware" or adware organizations (where unintended software is part of a download) are quite adept at staying ahead of antivirus protections for the most part. Typically, by the time an antivirus block is in place, the adware operation has already changed things just enough to not be affected.

"Besides being able to quickly pivot their network infrastructure and delivery techniques, and being able to generate randomized payloads to avoid signature-based blocks, they also use tactics like code-signing certificates to give their installers an extra air of legitimacy," Desai said. "We were able to identify them with the Zscaler Behavioral Analysis Engine, which allowed us to evaluate the threats on the basis of what they will actually do on a user's machine versus how they're coded."

While Zscaler is seeing an overall rise is tax scams in 2016, the tactics that attackers are using for the most part are similar to past years. The basic technique being used—persuading a user to launch a file via an email or a Website—hasn't changed, according to Desai.

"The general trend is that as [attackers] cycle their infrastructure faster to decrease the effectiveness of IP and domain reputation lists, they are similarly able to avoid basic signature detection or file-hash matching of payloads by utilizing polymorphic packing engines," Desai said. "The use of search engine poisoning, as in the adware case, allows the operators to provide a payload for whatever a user might be searching for and stay ahead of trends."

Desai added that none of these techniques is new, but they are being used more commonly and more effectively as times goes on.

Tax attackers are also making increasing use of phone calls to defraud tax payers. Phone fraud detection vendor Pindrop operates a network of honeypots where it captures and analyzes various phone fraud scams, and has raised $122 million to help advance its phone fraud detection technology. A researcher at Pindrop said that from Jan. 1 to April 1, Pindrop captured and analyzed 4,325 tax fraud calls in its honeypot.

"Victims are generally threatened with arrest, fines and assets freeze," the researcher told eWEEK. "From calling back a fraudster, we know the fraudsters typically try to get the victim to send them cash, and then ask to confirm personal information, such as their Social Security number."

While phone fraud has occurred during past tax times, the big difference with the 2016 tax fraud season is that the IRS now says it can call you, which it did not before, according to the researcher.

"Therefore, it becomes really difficult for consumers to know who is really calling them," the researcher said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.