Phishing scams are always prevalent, but tax season tends to step things up a few gears. Threat actors are carrying out a new attack campaign, using phishing emails and a TypeForm exploit to try to steal victims’ login credentials. TypeForm is a website that allows users to conduct surveys and create quizzes; it has a legitimate use. Hackers are using exploits within TypeForms framework to create fraudulent login pages as a part of the phishing scam.
A new report by Armorblox details the attack, in which the phishing scam takes advantage of the 2021 tax season by pretending to be a W-2 tax document shared via Microsoft OneDrive.
The phishing scam starts with victims receiving an email purporting to be from OneDrive, where a file named ‘2020_TaxReturn&W2.pdf’ is shared with the user.
Previously, companies sent tax-related correspondence via mail, but in recent times many have switched to email for various documents, such as 1099 and W-2.
It is important to note that the above email does not stand up to any kind of examination by someone trained or educated to keep an eye out for phishing emails. Regardless, this phishing scam has been successful.
If the victim clicks on the link, they are brought to a TypeForm form that includes a blurred out 2020 W-2 tax document pretending to be secured by the Adobe Secure Document service.
The form will request that the visitor enter their email address and password to log in and retrieve the W-2 document.
When entering details, the document will consistently state the details are incorrect, before eventually displaying a message which reads, “Unable to verify your identity”.
ArmorBlox noted this is the heart of the scam; the hackers are using trying to make the user enter all of their password and username combinations they can think of, while harvesting them unbeknownst to the victim.
“It’s likely that the error messages could be a smokescreen for the attackers to gather as many account ID and password combinations as unsuspecting victims are willing to enter in an attempt to brute-force their way to gain access to the W2. In reality, there is no W2 pot of gold at the end of this malicious rainbow,” ArmorBlox explains in their report.
In their own research of this scam, BleepingComputer noted, “TypeForm is not the only legitimate form creation service to be abused by threat actors. Other phishing campaigns have used Google Forms and Canva to steal login credentials. Microsoft Forms is also heavily abused, which has led Microsoft to proactively warn IT admins when they detect phishing campaigns abusing Microsoft Forms in their Active Directory tenants.”
Rise in Phishing Scams During the 2021 Tax Season
More than any other, the 2021 tax season has been rife with cybercrime and scams. The delayed start and COVID pandemic have led to fertile soils for hackers trying to make a quick buck from phishing campaigns on unware users.
“It’s like the perfect storm we’re dealing with right now,” said Howard Silverstone, a forensic accountant and a member of the American Institute of Certified Public Accountants’ fraud task force.
Much of the fraud typically involves identity theft, according to tax experts. In such cases, a criminal might steal personal information to file a fake tax return and collect your refund.
Taxpayers may also unwittingly supply personal data to criminals who falsely claim they can help collect stimulus checks, according to the IRS. Congress is aiming to pass a $1.9 trillion Covid relief bill that includes $1,400 stimulus checks by mid-March.
“Thousands of people have lost millions of dollars and their personal information to tax scams,” according to the IRS.
More than 89,000 Americans filed a complaint with the Federal Trade Commission last year reporting tax fraud linked to identity theft, according to the consumer agency. Identity theft was the most reported type of fraud in 2020, the FTC said.
Criminals often reach out via telephone and e-mail to try ripping off unsuspecting victims.
In IRS imposter scams, for example, a con artist may pose as an IRS agent and try to intimidate callers into divulging sensitive information. Phishing scams aim to get data like account information and passwords through bogus websites, texts and emails.
However, the IRS won’t initiate contact taxpayers by email, text message or social media channels to request personal or financial information. The agency also won’t call to demand immediate payment — officials will generally first mail a bill to any taxpayer who owes taxes.
Protection against Phishing Attacks
The key in defending against phishing is always education. Business leaders should ensure employees receive regular cybersecurity training to be able to spot fraudulent emails. There are always occasions when phishing scams are so high-fidelity that they can rarely be spotted by the naked eye, and in this case a number of cybersecurity tools should be available to discern the legitimacy of possible scams. One of these tools is SaferNet.
SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories
Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.