Scammers impersonating the Internal Revenue Service are emailing individuals malware to steal information, marking an escalation compared with recent schemes that used the agency in less sophisticated attacks.
The latest scam emails include links that appear similar to the IRS.gov web address but lead to compromised websites that could download software to record a victim’s keystrokes, potentially sharing passwords and other sensitive data with attackers, the IRS warned last week.
Hackers have frequently posed as the IRS to target taxpayers. Last year, scammers called individuals to demand the return of tax refunds they said had been transferred by accident.
IRS phishing scams are particularly attractive to hackers because taxpayers are unlikely to ignore messages that they believe come from the agency, said Colin Bastable, chief executive of cybersecurity firm Lucy Security AG.
“Any message you get from the IRS is intimidating,” Mr. Bastable said. “The IRS is likely the most-feared brand in the U.S.”
Attackers behind the latest scam campaign created dozens of malicious websites to compromise victims’ computers, making it more difficult to shut down, the IRS said.
“This latest scheme is yet another reminder that tax scams are a year-round business for thieves,” IRS Commissioner Chuck Rettig said in the statement. “We urge you to be on-guard at all times.”
Using multiple websites to plant malware on victims’ computers, rather than call them to demand bank transfers, suggests that hackers are adopting a somewhat more sophisticated approach to using the IRS as a tool for fraud, cybersecurity experts said.
In some cases, attackers include names and the last four digits of a victim’s Social Security number in their emails to convince taxpayers that the message is legitimate, said Chris Duvall, senior director at Chertoff Group, a risk-management adviser.
“They can purchase these things on the dark web, fire [out emails] and forget,” he said. “These scams are getting worse…because they’re easy to pull off.”
It doesn’t require significant technical skills to set up dozens of websites but sophisticated hackers would likely design the websites to appear like authentic IRS pages, said Tim Erlin, vice president for product management and strategy at cybersecurity company Tripwire Inc. The IRS warning didn’t provide details about the websites and the agency didn’t respond to a request for details.
Last month, the IRS issued a warning reminding tax preparers of a Federal Trade Commission requirement to implement data security plans. Under that rule, tax preparers must follow a number of measures to protect data, such as regularly monitoring and testing safeguards.
The various systems for reporting and filing taxes can be targets for cyberattacks, Mr. Erlin said. “It’s just one of these areas where complexity tends to breed vulnerability,” he said.
Tom Kellermann, chief cybersecurity officer at cybersecurity firm Carbon Black Inc., said the phishing ploy, which targets both individuals and tax professionals, shows that IRS fraud is accelerating and will likely become a bigger problem for businesses.
“Hackers are escalating from traditional tax refund fraud against individual taxpayers to more sophisticated attacks against accounting firms,” he said. “This new scam is a harbinger of fraud to come.”