This Off the Hook threat alert on the new IRS CP 2100 notice campaign follows up on our previous Tax Phishing Off the Hook so be sure to check that one out.
Doing taxes can be more or less overwhelming and confusing depending on the year. But taxes are always stressful, and stressful situations are a gold mine for phishing attackers. They understand that it’s common for well-intentioned tax payers to send forms with missing information or mistakes, which will trigger notifications for changes from tax authorities. Even the legitimate messages can be hard to understand and scary given all the bureaucratic wording.
As a result, many people will just click the link and enter information as directed with little thought. This can be extremely harmful if the information falls into the hands of cybercriminals.
We are monitoring multiple new tax-related phishing attacks. This CP-2100 notice campaign phishing attack claims the user has entered an incorrect name and Taxpayer Identification Number (TIN) in their latest transfer. The real CP 2100 notice does indeed let tax payers "know they may be responsible for backup withholding when TINs are missing from IRS records or have incorrect name/TIN combinations" according to the IRS website.
The attack email's text is sparse and not terribly well written, but the email contains a more convincing word doc attachment promising more information once the user “enables content” to see “enclosed content.”
This indicates the presence of macros, a classic attack vector through which malicious content is downloaded to the user's device. Macros are such a common malware vector that programs used to view these documents often automatically warn users about the dangers of enabling macros. Therefore, attackers come up with something to trick the user into enabling the macros.
CP-2100 phishing attack email message
The attacked document itself, pictured below, looks real enough to evoke stress as a quasi-official notice promising bad things will happen unless action is taken. It is not hard for attackers to spoof official notifications, as real examples are widely available. But such reproductions take more effort than a traditional simple, generic attack. Because phishing attacks are usually extremely cheap to execute and blasted out in huge numbers, a campaign’s success rate needn’t be too high to be worth the criminal’s time. So even these slightly more sophisticated attacks are not as common as one might think. Because they are less common, they might have an outsized success rate, as people are unprepared for them.
cp-2100 notice campaign phishing attachment
This message contains two classic social engineering tactics: manipulating user curiosity, and creating a false sense of urgency and stress. The user’s curiosity is raised with the message’s vagueness. Because the message reveals little information beyond potential costs to the user, it is much more likely the user will open the attachment to learn more. After opening, the attachment contains a request to enable macros, or “content” as it’s called in this case. This is the user’s last chance to back out.
But the attached document itself might push the user’s curiosity beyond the point of no return. Thoroughly manipulated, they would then enable the macros and thereby open the gates to a malicious content download. Curiosity killed the cat, and that saying is particularly true for phishing. While in a tax phishing attack no cats are harmed, the same can’t be said for the privacy of your, and possibly your whole organization’s, data.
Another social engineering trick in this attack is the creation of a false feeling of urgency. In this case the deadline for acting on this message is “30 calendar days,” which might feel urgent to some, especially those who struggle to understand it and require time to respond appropriately.
The feeling of urgency is a commonly used tactic in phishing because it effectively plays on human psychology. Urgency can be fabricated with fake deadlines and the threat of consequences for not doing as told. The message might threaten the user with forfeiting money, or losing data or privileges to services, etc. Threats of loss can be an effective way to stress people into forgetting their security training acting hastily.
This particular attack is seen in North America, but Tax-phishing attacks are seen all over the world. The stress and confusion surrounding taxes signify a universal experience..
Malicious message are sometimes hard to spot by only reading the message. Especially if the message is about something unexpected. But even if you are expecting a message, you should still exercise caution as it might just be a lucky break from an attacker and the timing hits just right. They try to mimic the most commonly received messages from the most commonly used services in their phishing attack campaigns.
When receiving suspicious or unexpected messages it is a good practice to:
Modern technology has made filing taxes so much easier. Unfortunately it also has made tax phishing attacks much easier, too. Remember to exercise caution when you get a tax notice, and remember your security training. Don’t let threats and deadlines swallow your logical thinking. They won’t actually bite. Stay safe and Off the Hook.
Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.