Skip links

It’s tax season, and scammers are a step ahead of filers, Microsoft says

As the digital wolves dress in sheep’s tax forms, Microsoft has thrown a spotlight on a crafty 2024 phishing expedition, unraveled in January, that preys on the unsuspecting herd of early tax filers.

The malicious email campaign, purporting to be employees’ tax returns, contained an attachment that, when clicked, directs the user to a phony website that looks like a blurred spreadsheet, with a download documents button marked “confidentials to users[dot]name[at] contoso[dot]com.”

The blurred document is intentional, according to Redmond, noting this type of social engineering technique increases the likelihood that people will take the bait. Of course, once they do, malware is installed and it’s game over. In this particular scam, Microsoft says the miscreants dropped an info-stealer on the victim’s machine that then attempted to scoop up account credentials.

“Falling for a phishing attack can lead to leaked confidential information, infected networks, financial demands, corrupted data, or worse,” the Windows giant warns.

Of course, tax scams are nothing new. But with scammers starting early (unlike your humble vulture), and using tools like AI to write more convincing emails and generate deepfake images intended to trick vulnerable tax payers (think: new filers and older folks), the crooks have a better chance at stealing high-value data from “millions of stressed and distracted individuals and businesses,” Microsoft says.

Plus: Redmond offers some tips on how to avoid falling for these phishes.

“Although everyone can be a target of tax-season phishing, certain groups of people are more vulnerable than others,” according to the tax season report. “Prime targets include individuals who may be less informed about IRS methods of engagement — Green Card holders, small business owners, new taxpayers under the age of 25, and older taxpayers over 60.”

To that end, crooks frequently use images lifted directly from legitimate third-party processor websites and/or containing the US Internal Revenue Service (IRS) logo. 

These phishing emails purport to be from real processors, listed on the IRS website, and frequently promise a hefty tax return — once the user clicks on a malicious link and enters their personal information.

And because taxpayers are used to sending sensitive data — such as Social Security numbers, financial information and account passwords and access — to the IRS, accountants, law firms, and other online services that provide tax filing assistance during this time of year, they are more likely to fall victim to these scams, and inadvertently hand over their high-risk data to thieves.

We should note, as the IRS does on its tax scams page, “The IRS doesn’t initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information.”

Tell your parents or your first-time filers to inspect the sender’s email address, verify the sender’s contact info, be wary of generic greetings, don’t send sensitive details via email and for crying out loud, don’t click unexpected links.

Microsoft suggests turning on multi-factor authentication (MFA). Or perhaps it’s just speaking from experience on this one. ®