Threat actors are attempting to compromise Social Security numbers with a tax phishing attack targeting small business owners and self-employed filers.
Worryingly, the social engineering scammers are likely operating with little more than a cheap email list of self-employed US residents, according to the latest advisory from Malwarebytes Labs. The report pointed out these emails could be acquired for as little as a couple of cents a piece, either on the Dark Web or from legitimate lead brokers.
The initial phishing email offers an easy link to apply for the necessary federal employee identification number (EIN) or tax identification number required for small businesses or the self-employed to file US federal income taxes by April 15.
Once the victim clicks on the link in the email, they are asked to input extensive personal information, including a Social Security number, the researchers explained.
“A compromised Social Security number poses a major problem,” the report added. “Adding a person’s SSN to the scammers’ data could create far more opportunities for identity theft and fraud,” Malware Labs said in its report.
The IRS issues both EINs and tax ID numbers for free, however, the cyberattackers saw an additional opportunity to squeeze a few extra bucks out of their targets.
“The scammers here have the audacity to charge you for the tax ID number, even though applying for an Employer Identification Number (EIN) is a free service offered by the Internal Revenue Service,” the team said.
Avoiding Tax Cyber Scams
Tax scams like these are common in the lead up to filing deadlines and raising the alarm is key to stopping their spread, according to the report’s author Pieter Arnzt, an intelligence researcher at Malwarebytes.
“Awareness is key in this instance. When people are aware that these scams exist, they’re more likely to pay attention,” Arnzt said in an emailed statement. He recommended users keep the following in mind as the tax deadline approaches:
-
Double-check the origin of the email
-
Know the rules. EIN is a free service offered by the IRS and doesn’t ask for personal information over email, text, or social media channels
-
Don’t reach out to the IRS by clicking on advertisements or search results. Instead reach out directly by typing the known legitimate address in the browser
-
Check the URL in the browser address bar against the legitimate one
“Most importantly, don’t get rushed into rash decisions,” Arnzt said. “Scammers’ favorite technique is to impose a sense of urgency and to stop the target from thinking things through.”
“An interesting youtube video that may be related to the article above”