Check Point Research warns to watch out for QR codes, fake refunds and AI scammers, because a wave of tax scams is coming. In fact, tax season is upon us. A refund notification or payment requests from the Revenue Agency or institutions may appear in users’ mailboxes. An important moment for hackers, who take advantage of it, distributing malicious files disguised as official documents. The phenomenon is so widespread that the Internal Revenue Service (IRS) publishes the “Dirty Dozen” list every year, which describes the most widespread tax scams.
Dirty Dozen of scam
Last year, Check Point discovered how ChatGPT creates tax-related phishing emails. This year is no different. In Italy, for example, a scam reported by the Postal Police relating to the dissemination of false INPS text messages (smishing) by computer criminals is widespread. Where updating of one’s data is required to take possession of the sensitive data of users who fall for the scam by clicking the indicated link and attaching documents and selfies with their document to receive, for example, a refund.
QR codes, refunds, AI
In the UK, again, HM Revenue and Customs (HMRC) reported over 130,000 cases of tax scams in the year to September 2023, including 58,000 fake tax rebate offers. Check Point Research has detected numerous cases of tax-related phishing and malware. Objective to induce the end user to provide sensitive information or money.
The tax attack via QR Code
In this attack, the threat actors pose as the Internal Revenue Service. Attached to an email is a malicious PDF, with a subject like {NAME} annual tax return3x{company name}.pdf. The PDF file appears to impersonate an official correspondence from the Internal Revenue Service, informing the victim that documents are pending.
Be careful with PDFs
At the bottom of the document there is a QR Code that directs to several malicious websites. These sites are all verification sitessome with the 1w7g1 scheme[.]united0[.]com/6d19/{USEREMAIL} which now lead to inactive malicious sites. The QR Code undergoes what we call conditional routing. In these attacks, the initial request is similar, but the redirect chain is very different.
The link observes where the user interacts with it and adjusts accordingly. If the user is using a Mac, for example, a link appears; if the user uses an Android phone, another one appears. The end goal is the same: to install malware on the end user’s endpoint, while also stealing credentials. By tailoring the destination based on how the end user accesses it, the success rate is much higher.
The “Refund on the way” tax scam
In Australia there has been a phishing scam allegedly sent by the “ATO Taxation Office”. In reality, it started from an iCloud address. In this email, the subject is “Refund for you – register your bank details today”. The email directs you to the following link, hxxp://gnvatmyssll[.]online, where the user is asked to enter their credentials. Similar campaigns have also been detected in other countries. This example is from a phishing website impersonating the UK government, using the malicious domain ukrefund[.]tax.
The domains that should be alarmed
Similar campaigns were also observed using a range of domains, including:
compliance-hmrc[.]co[.]uk
hmrc-cryptoaudit[.]with hmrc-financial[.]hmrc-debit team[.]uk hmrcguv[.]site
Refunds on sale
On the dark web, Check Point researchers have discovered a thriving market for sensitive tax documents. Hackers have been caught selling real W2s and 1040s from real people unaware of what is happening. These documents sell for up to $75 each. In some cases, significant discounts are given if large quantities are purchased: in this case the price can even reach 10 dollars each. One hacker even offered a giveaway of 50 1040 and W2 forms.
QR codes, refunds, AI: the tactics used
Another tactic used by hackers is to offer bank accounts to deposit refunds. The threat actor offers a bank account number to deposit the refund into. In turn, the hacker sends the money to other hackers, taking a small percentage of it. The last tactic is more worrying. Hackers buy and give away access to popular tax services with remote administrator privileges.
ChatGPT’s tax assistant
Last year, Check Point researchers asked a ChatGPT to produce the text of an email that contained typical tax scam language. The result was a compelling email about employee retention credit. Another request created an email from the Internal Revenue Service (IRS) regarding a refund:
How to protect yourself from scams during tax season
It is very important to remember that most tax agencies communicate directly through the Postal mail and not by email or telephone. However, with the proliferation of AI-generated phishing and malware campaigns, it can become nearly impossible to identify legitimate ones from illegitimate ones.
Tricks to avoid falling into the trap
However, there are still tricks to identifying phishing emails. You need to pay attention to:
Unusual attachments. Better to be wary of emails with suspicious attachments, such as ZIP files or documents that require macro activation.
Incorrect grammar or tone. While AI has improved the quality of phishing emails, inconsistencies in language or tone can still be red flags.
Suspicious requests. All emails requesting sensitive information or making unusual requests should be treated with skepticism.
Don’t reply, don’t click on links or open attachments. Interacting with a suspicious email only increases your risk.
Report and delete. Reporting suspicious emails before deleting them can help protect others from falling victim to similar scams.
Invest in anti-phishing solutions. Tools like Check Point Harmony Email & Collaboration Suite Security offer comprehensive protection against phishing attempts, safeguarding your digital communications.
Anti-phishing solutions
Awareness of these tax campaigns plays an important role in protecting information and data. Additionally, anti-phishing solutions can block phishing campaign attempts from email inboxes. Check Point Harmony Email & Collaboration Suite Security offers comprehensive protection for Microsoft 365, Google Workspace, and all collaboration and file sharing applications.
Tax refunds at risk
Sergey Shykevich, Threat Intelligence Group Manager, Check Point Research We are already starting to see a tsunami of tax scams forming. Hackers are using artificial intelligence, advanced phishing schemes and even QR codes to steal users’ tax refunds. We are also detecting tax and financial documents for sale on the dark web.
While hackers try to file taxes on behalf of ordinary people, in order to steal their refunds. We at Check Point Research urge people to remain vigilant and file their taxes early. Also remember that most tax agencies will communicate directly through regular mail, not via email, phone or text.