Microsoft Warns About Thousands Targeted by Tax-Themed Phishing Campaigns

On April 3rd, Microsoft reported that it observed several tax-themed phishing email campaigns that used social engineering to steal credentials and deploy malware.

As Tax Day approaches (April 15th), these malicious actors are taking advantage of people’s last-minute tax submissions to make people click on shortened URLs and QR codes containing malicious attachments without thinking.

However, this is nothing new. Cybercriminals use social engineering to steal sensitive information every year with the objective of getting the target’s money and identity.

Cybercriminals use various phishing techniques to con their targets. Some examples include:

• Email phishing: The scammer sends an email that looks legitimate, designed for the target to provide information by answering the email, entering a fake website, or installing data-stealing malware by downloading an infected attachment.
• Vishing: A scam made through the phone. The cybercriminal might try to impersonate a friend, family member, service provider you use, or a governmental organization.
• Spear phishing: An advanced kind of phishing where the malicious actor uses known information about the target to make the message even more believable.
• Whaling: Phishing attack that targets CEOs and senior executives.

In this case, the malicious actors are using email phishing as their attack method.

The criminals are trying to pass as the IRS, informing citizens that they had some kind of issue with their tax filing. Some email subjects include:

• Notice: IRS Has Flagged Issues with Your Tax Filing
• Unusual Activity Detected in Your IRS Filing
• Important Action Required: IRS Audit

The objective of this campaign is to make the message receiver download an infected PDF file that will install malware on the person’s computer.

Another known phishing campaign (sent to over 2,000 businesses) is an email with a QR code, which leads to an infected website.

There have been more campaigns, and we recommend checking Microsoft’s website to keep yourself in the loop of new cyberattacks.

Remember that the IRS won’t initiate contact with you via email about your tax filing or any other subject.

At Best Reviews, we’re security nerds! So, we use, review, and recommend all types of internet security software to help our readers stay safe online.

Although there are plenty of security apps you should keep in mind (VPN services, password managers, internet security suites, and more), to keep yourself secure during tax season, we mainly recommend:

• Tax software: By using legitimate tax software to file your taxes, you know that everything should be taken care of. Even if there is any mistake, you’ll be contacted inside the platform instead of your email.
• Antiphishing tools like Guardio: As the name indicates, this software identifies phishing emails, websites, and other formats. It sends you a warning and blocks any malicious content.

Keep safe this tax season!