top of page
  • Admin

Tax-Themed Phishing Campaigns Up 500% And Started Early This Year

Published: May 07, 2021 on our newsletter Security Fraud News & Alerts Newsletter.

As the saying goes, “Spring flowers bring tax-time email phishing attacks.” Well, maybe not exactly like that…However, researchers have found that this tax season is much the same as last year but for one important point: tax scams started earlier than usual. But when the early attacks are paired with the extended filing date on May 17, there’s plenty of extra time for hackers to launch their tax-themed email phishing campaigns. These emails are now filling inboxes everywhere.

In just the first three months of this year, Proofpoint found a 500% spike in tax-themed email phishing campaigns using malicious macros. The emails deliver a weaponized version of Excel’s XL4 Macros. Macros are helpful with automating repetitive tasks commonly used in a workplace, but these macros install malware and are anything but helpful.

IRS Security Alert

The IRS issued a security alert in March, warning that educational institutions including staff, students, and anyone with a .edu email address are also under heavy fire from this latest round of tax-related email scams. Proofpoint found dozens of enterprises including energy, manufacturing, and healthcare are also in the crosshairs. Some threat groups are combining the tax lures with pandemic and other health related decoys.

Over 30 campaigns were discovered by Proofpoint where multiple bad actors are using the spoof-cover of government agencies for taxes and refund support and government revenue divisions as the lure. These lures accounted for over 800,000 emails that include compromising a user’s email account and stealing their personal data. They also found many of the campaigns targeting businesses can be used for BEC (business email compromise) attacks that can lead to devastating financial fraud.

Malicious Word Documents

Cybereason learned that among the variety of tax lures being used, individuals are being sent Word documents with the email content claiming the documents have tax-related information. Cybereason discovered the documents carry the notorious NetWire or Remcos malware and are built to evade antivirus software tools. Other tax-themed campaigns used malware like Dridex, TrickBot, and ZLoader. Cybereason also found 17% of attacks were used to install a RAT (remote access trojan) on devices, while 40% involved credential theft.

IRS Email Policy

Knowing the IRS policy about tax-themed email campaigns takes a lot of the guesswork out of flagging these criminal acts. The IRS policy for electronic communications says in part “The IRS never initiates contact, or reaches out, on any matter using email, text messages, or social media without your prior consent. In other words, the IRS doesn’t send unsolicited emails.” Remember, the IRS will first send you a letter by mail to initiate contact and will never call without first setting up a phone appointment in a letter.

Want to schedule a conversation? Please email us at


bottom of page