164% increase in tax-related phishing emails since February 2023

Egress | 18th Apr 2023

Ahead of US Tax Day on April 18, 2023, attackers are taking the opportunity to send finance-related phishing attacks. There has been a 164% increase in tax-related phishing emails since February 2023 and a 32% increase versus 2022 levels. Typically in these attacks, cybercriminals attempt to convince victims that they have a tax refund available or have underpaid their taxes, when in reality, the email contains a malicious link or attachment.

Below our Cyber Analysts outline two recent phishing campaigns that employ social engineering techniques to impersonate the IRS and the UK’s HM Revenue & Customs (HMRC).

Quick attack summary

Vector and Type: Email phishing

Techniques: Social engineering, brand impersonation

Payloads: Malicious phishing links and html attachments contained within the email

Targets: USA and UK

Platform: Microsoft 365

Bypassed SEG: Yes

What the IRS phishing email looks like

Cybercriminals are using spoofed and lookalike IRS domains to deliver malware via email attachments in the latest wave of phishing attacks detected by Egress Defend. These emails contain instructions for the recipient to open an attachment that launches Emotet malware onto their device. Emotet malware is known to be associated with Microsoft Word, Excel, and OneNote attachments, but has recently been used within IRS phishing attacks as well.

In the below example, the attacker has used the legitimate IRS logo within the email to increase credibility. They have also used spoofing techniques, such as a ‘From’ address that shows as do_not_reply@irs.com and a corresponding display name that appears as ‘IRS’. The email asks the victim to complete the ‘Tax Refund Request Form’ that appears to be a legitimate website, but when the victim goes to fill in the form and opens the attachment, the Emotet malware will be installed on their device.

The email includes a tax revenue code as a social engineering technique intended to lure the recipient into believing that the email is authentic. 

 

A phishing email impersonating the IRS and using social engineering techniques

What the HMRC phishing emails look like

Egress Defend has detected phishing attacks that attempt to obfuscate malicious code to bypass attachment scanning and sandbox technology. The attackers used a basic HTML template and social engineering techniques: the email contained a brief message that appears to be sent from HMRC, complete with their logo at the top. In the below example, the attackers impersonate HMRC by using a spoofed email address (statements@gov.uk) as the ‘From’ address and displaying the sender name as ‘GOV UK’. The impersonation tactics are carried out to add legitimacy to the email.

The email body states: ‘If you do not complete the refund form now, you will not be able to claim your annual tax refund online’. This common social engineering technique of including an arbitrary deadline and consequence for inaction (inability to claim the refund) adds pressure on the victim, encouraging them to act quickly and without thinking.

The email text instructs the recipient to complete a form and send it to taxreturns@gov.uk, a seemingly legitimate email address. However, the victim is unlikely to reach this stage as the attachment is a malicious HTML file. Opening the attachment will inject malware into the victim's machine.

 

A brand impersonation phishing email containing Emotet malware within an attachment

Tax-related phishing emails are being sent from these domains

Our Cyber Analysts have analyzed numerous emails that appear to be sent from legitimate HMRC and IRS email addresses when in fact attackers have been spoofing the domains. In particular, we have seen an increase in IRS emails from the first week of April 2023, and HMRC emails from the middle of March 2023, with both increasing in volume in the run-up to US Tax Day. Below are some domains that we have seen these emails being sent from:

  • com
  • uk
  • gov.uk
  • us

Our analysts have also seen numerous emails sent from Japan (.jp) and Denmark (.dk) domains both showing signs of impersonation within the display name and the from address.

Egress analysis

Everyone wants money back from their taxes! Tax-related phishing emails, such as IRS brand impersonation attacks, are common around US Tax Day and at the end of tax years, and (amongst other tactics) trick the victims into believing they are eligible for a refund. This causes people to act before thinking and, in these examples, makes them more likely to click on the malicious attachment within the email.

The IRS and HMRC emails analyzed demonstrate high levels of social engineering and impersonation. The emails use legitimate logos and were sent from a seemingly legitimate IRS and HMRC domains to add credibility. This can make it challenging for a user to identify whether the email is genuine. In the HMRC phishing attack, the cybercriminal has also included an email address that appears to be another legitimate gov.uk address, which the victim is instructed to use to ‘send back the completed document’.

The attackers have also used a variety of techniques within the email to improve its deliverability, including waiting for the domain age to be older than 60 days and sending previous scouting emails to help build a social graph. This ensures the actual phishing attack is more likely to be delivered straight to the user’s inbox rather than being sent to the junk folder or quarantined by traditional email security solutions. Even though attackers are using lookalike domains, we have analyzed emails that have passed DMARC authentication, which means it’s more difficult for signature-based anti-phishing technologies to detect them.