As the tax year rolls over into 2019/20, cybercrims have started belching out phishing emails and tax-themed malware, according to infosec researchers.
Proofpoint, one of those companies which keeps a close eye on the world of online badness, "observed the expected seasonal increase in tax-themed campaigns" as Q4FY19 clicked over into Q1FY20, with this year seeing ever more remote-access trojans (RATs) being deployed in the hope of stealing finance-related login details from unwitting marks.
"Actors utilized social engineering techniques in subject lines, spoofed emails addresses, and 'decoy' links that led to the websites of legitimate government tax offices, many of which were outside of the US," the American infosec firm said in a statement.
Observed attacks target taxpayers in the UK, US, Australia, France, and Canada, among others, using items such as the old-fashioned booby-trapped Word document as well as forged emails appearing to be from tax authorities and offering juicy links to click.
"Taxpayers should be wary of convincing-looking emails from cybercriminals, which use social engineering in subject lines, spoofed email addresses, and 'decoy' links to convince victims to disclose tax information," warned Proofpoint.
Kevin Epstein, the company's veep of threat ops, sighed: "This year we observed a seasonal increase in a tax-specific trend that Proofpoint first identified in 2018, the distribution of a variety of remote access Trojans (RATs) including Orcus Rat, Remcos RAT, and NetWire. And they aren't limited to the United States; we've recently observed threat actors targeting taxpayers in the UK, Australia, France, and Canada with these lures as well."
The best advice going is to contact your local friendly tax office directly if you're trying to give them money (or claw back what's rightfully yours). Avoid clicking links in emails or talking to anyone over the phone who rings you up out of the blue. And, for pity's sake, don't open random Word documents and start following "decryption" instructions or executing macros. ®
Sponsored: Webcast: Ransomware has gone nuclear