Skip to Content
Security & privacy

Malware spreads new wave of tax scams

This year’s tax season is in full swing, and while everyone is trying to make the April 15 deadline, scammers and cybercriminals are ramping up their schemes, too. They’re trying to capitalize on the hustle and bustle of this busy time.

Even though it’s easier to file your taxes online, the convenience has its drawbacks. Scammers can use these same advantages to concoct malware and phishing attacks to reel in more victims.

Now, a new tax malware scam has been spotted, and this time it involves one of the most sinister banking Trojans around.

We’ll tell you about this new scheme, its methods of delivery and give you the tips you need to know to keep your money safe.

This tax Trojan that will drain your entire bank account

A new sophisticated tax phishing scam has been spotted by IBM’s X-Force. What’s scary is, it’s deploying a banking Trojan to steal banking credentials and misdirect victims into visiting malicious websites.

X-Force researchers said that they have spotted at least three tax-related malware spam campaigns so far, primarily targeting businesses but all of them can impact regular consumers, too.

What are the new tactics? Well, these malware campaigns send out phishing emails that appear to be coming from accounting, tax and payroll services. If you work in HR and payroll departments, watch out! Spoofed companies include popular payroll providers Paychex and ADP.

Attached to these fraudulent emails are malicious Microsoft Excel documents that are programmed to install the nasty TrickBot banking Trojan on your computer.

These tax-related attacks have been going on since January of this year and are still active to this day.

Here are the tax malware details you need to look out for

X-Force noted that these latest high-volume campaigns are more sophisticated than usual and — surprise, surprise — they are actually well-written with no typographical or grammatical errors.

The phishing emails also have official-looking business signatures, footers and even warnings about unneeded printing, adding to their look of authenticity. But don’t be fooled! They’re just well-designed versions of the old TrickBot campaign.

Subject lines all include the word “tax” and are all preceded with “FW:” or “RE” to fool you into thinking that it’s part of a longer thread.

Image Credit: IBM

These details, of course, are all designed to make the phishing emails look as authentic as possible to gain your trust. Scammers are always counting on the fact that if a potential victim thinks an email is from a trusted source, they’ll be more likely to open its attachments or follow its links.




What is TrickBot?

We’ve talked about TrickBot a couple of years ago. It is a banking Trojan that is spread through phishing emails with Excel or Word document attachments that are infected with malicious macros.

If you open the infected files and let the macros run, the TrickBot banking Trojan will be installed onto your gadget without your knowledge.

Once TrickBot is deployed to your machine, it will lurk in the background, waiting for you to visit your bank’s website.

Through a technique called dynamic injection, it will then redirect you to a fake version of the site (which is under the attacker’s control) where it will ask to log in with your banking credentials.

Once you log in to the fake banking website, it’s game over, you’ve just handed them the keys to your bank account. These fake websites reportedly look so authentic that a large number of people are falling for them.

And, as usual, TrickBot has evolved over the years. From banking phishing and redirection malware, it has gained the ability to steal Remote Desktop and Virtual Network credentials, too.

It can also spread to other machines on the same network, so a single point of entry is all the attackers need to compromise an entire company.

How to protect yourself from this latest tax-related malware campaign

The best thing you can do to stay safe is to NOT click on links within emails that are unsolicited. If you need to correspond with your financial institution, call its phone number listed on the back of your credit or debit card or type its web address directly into your browser.

Also, enable two-factor authentication, also known as two-step verification. This means to log in to your account, you need two ways to prove you are who you say you are. It adds an extra layer of security and should be used whenever a site makes it available. Click here to learn how to set up two-factor authentication.

Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it’s easy for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.

Unsuspecting people are mistakenly handing over sensitive information to scammers all too often. If you receive an unsolicited email, do not reply with personal information. You don’t want it to fall into the hands of criminals. If a company that you do business with on a regular basis emails you and asks for personal information, type the company’s official web address into your browser and go there directly to be safe.

How to make sure your Office macros are off

The latest versions of Excel and Word have macros turned off by default, specifically to avoid viruses. If you open a file that includes macros, Excel or Word will ask if you want to turn macros on. Always click “No.”

Fun fact: Macros are simple instructions that expand into a larger set of more complicated instructions to perform a task. Used in an attack, they hide, spring into action and cause a computer to do its bidding.

If you want to verify that they are off for your copy of Word and Excel, click the Office button in the upper-left corner of the program and select “Word Options” or “Excel Options.”

Select “Trust Center” in the left column and on the right click the “Trust Center Settings” button. Then, select the “Macro Settings” area and make sure it’s set to “Disable all macros with notification.” If a file requires macros, you’ll get a notice, but macros won’t run automatically.

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me