Watch out for tax scams popping up in your email inbox. They can often be rigged to secretly install malware onto your computer.
As the April 15th filing deadline approaches, IBM says it’s recently detected a wave of tax-themed phishing messages targeting both businesses and personal email addresses. The emails have been crafted to deliver a Trojan called Trickbot, which can steal bank account information from your internet sessions.
According to IBM, the scammers have been delivering the Trickbot Trojan by pretending to send emails from well-known payroll and HR firms such as Paychex and ADP. Unlike shoddy spam email campaigns, the messages from the scammers will generally be free of spelling or grammar mistakes.
The same messages will also come from legitimate-looking email addresses such as “@adpnote.com” or “@paychex.mail.” But in reality, the domains are actually under the scammers’ control.
“The messages were quite simple, only claiming to contain an attachment of tax or billing records,” IBM said in a report, documenting the attacks. “To reinforce the illusion of legitimacy, the signatures of each of the emails mimic typical business signatures, including a name, job title and contact details, as well as mock email footers that the cybercriminals may have copied from legitimate business emails.”
Victims fooled by the official-looking emails will open the attachment not realizing it’s been rigged to deliver the Trickbot malware to their computer. The attachment will appear as a Microsoft Excel document, but it actually contains a secret macrocommand that’s designed to download and execute Trickbot’s malicious code over a PC.
Although Trickbot has been largely used to steal banking login credentials from victims, it can be used to cause all kinds of mayhem. “If your computer is infected with TrickBot, the cybercriminals operating it have complete control and can do just about anything they wish on your device, including spreading to other computers on your network and emptying your company’s bank accounts, potentially costing millions of dollars,” IBM said.
The infection will also occur in the PC’s background processes, so most users probably won’t even be aware that anything is wrong. But once activated, the Trojan can takeover your PC’s browser to direct you to look-alike banking webpages that the scammers have designed to steal your login information.
According to IBM, the scammers have been busying sending their tax-theme messages since late January. To stay safe, the company encourages users to disable macros by default on Office documents. If you do choose to enable macros on a document, make sure whomever sent it is a trusted source.
Microsoft has also noticed tax-themed phishing messages targeting users. Some of them will include an Office document in the attachment that even tries to trick you into enabling macros. For instance, the attachments will claim your software is out-of-date or needs to be updated for security purposes.