ISD warns of phishing scams before tax season

As we approach tax season, ISD would like to remind people about the dangers of phishing scams related to tax preparation or the Internal Revenue Service this time of year. Read this important message from the U.S. Computer Emergency Readiness Team regarding phishing scams.

Overview
Throughout the year, scam artists pose as legitimate entities—such as the Internal Revenue Service (IRS), other government agencies, and financial institutions—in an attempt to defraud taxpayers. They employ sophisticated phishing campaigns to lure users to malicious sites or entice them to activate malware in infected email attachments. To protect sensitive data, credentials, and payment information, US-CERT and the IRS recommend taxpayers prepare for heightened risk this tax season and remain vigilant year-round.

Remain alert
Phishing attacks use email or malicious websites to solicit personal information by posing as a trustworthy organization. In many successful incidents, recipients are fooled into believing the phishing communication is from someone they trust. An actor may take advantage of knowledge gained from research and earlier attempts to masquerade as a legitimate source, including the look and feel of authentic communications. These targeted messages can trick any user into taking action that may compromise enterprise security.

Spot common elements of the phishing lifecycle

  1. A Lure: enticing email content.
  1. A Hook: an email-based exploit.
  • Email with embedded malicious content that is executed as a side effect of opening the email
  • Email with malicious attachments that are activated as a side effect of opening an attachment
  • Email with “clickable” URLs: the body of the email includes a link, which displays as a recognized, legitimate website, though the actual URL redirects the user to malicious content.
  1. A Catch: a transaction conducted by an actor following a successful attempt.
  • Unexplainable charges
  • Unexplainable password changes

Read more from the U.S. Computer Emergency Readiness Team.

Filed under: