Sophos Cloud Optix
Many countries have taxation forms with names that have entered the general vocabulary, notably the abbreviations of documents that employers are obliged to provide to their staff to show how much money they were paid – and, most importantly, how much tax was already witheld and paid in on the employee’s behalf.
In the UK, for example, the form name P45 is often used as a synonym for getting fired, given that it’s a final tax summary that you get when you leave a job, willingly or otherwise.
In South Africa, you get an IRP5 at the end of the tax year – an archaic term that we are guessing is short for Inland Revenue/Personal, Form #5, even though the South African tax office hasn’t been called the Inland Revenue for nearly 25 years.
In the USA, the earnings form is a W-2, short for Wages and Tax Statement, Version 2. (It seems that there used to be a form W-1, but it was superseded back in the 1950s.)
Here at Naked Security, we know the names of these forms, amongst numerous others, because they often show up in tax scam emails, presumably to give those messages an air of realism.
Anyway, given that it’s the last week in January, and thus that US tax filing season is about to get underway, we weren’t surprised to receive a tax-related scam email today, and to see the W-2 form mentioned explicitly.
We were, however, intrigued by the “less is more” nature of today’s phishing message: there was no traditional call to action, just a simple request for further information.
Phishing without links
Usually, when we write about tax scams, we’re warning about traditional phishing campaigns where the idea is to trick you into “logging in” to a bogus site where your tax office account details and password get captured by cybercriminals.
Sometimes, the crooks use the high-pressure tactic of warning you that you could get into trouble if you don’t act right away (and who would willingly undertake a tax office audit?); often, however, the scam relies on the lure of a refund, like this one we received via text message a year ago:
But, as regular readers will know, quite a few cybercrime groups are moving away from pure-play “technohacks” these days, such as email scams that rely entirely on you clicking a fake link.
Instead, many cybercriminals are adopting the “human led” approach that has served criminals such as advance fee fraudsters and romance scammers so well over the years.
Ransomware scammers, for example, used to rely heavily on automatically catching out hundreds or thousands of independent victims at a time by spamming out links or attachments that directly unleashed the ransomware and then demanded somewhere from $300 to $1000 from anyone who got hit.
These days, the human-led approach means that although ransomware criminals still rely on scrambling hundreds or thousands of computers in a single attack, there’s rarely any obvious or widespread spam campaign that gives away the attack in advance.
LEARN MORE ABOUT HOW MODERN CYBERCRIMINALS ATTACK
Click-and-drag on the soundwaves below to skip to any point in the podcast.
You can also listen directly on Soundcloud, or read a full transcript of the recording.
These days, ransomware criminals typically break into (or buy their way into) your network very quietly, and then carefully plan for an attack that’s co-ordinated and kicked off manually, at a time to suit the crooks and to disadvantage you.
Similarly, tech support scammers are increasingly relying on persuading you to call them, rather than bombarding the world with spammy links or phishy attachments and then trying to filter out the people or computers that seem to respond.
Many victims are willing to call the scammers back – they often provide a convenient toll-free number, so it doesn’t even cost you anything – because it feels like a low-risk approach.
After all, hackers can’t directly push malware onto your computer or inject an exploit into your browser if you’re just talking to them.
Of course, the crooks use that to their own advantage, often giving you a level of personal attention and hand-holding that you wish you could get from other IT vendors…
…at which point, the criminals don’t need an exploit to run code on your computer, because they’ll helpfully and patiently talk you through doing that job all by yourself: they sneakily trick you into creating a cybersecurity problem for yourself under the guise of fixing one.
A little politeness goes a long way
Today’s tax scammers have done a “let’s ask nicely” job, carefully avoiding links and attachments, and presumably hoping that someone on their mailing list will be willing to reply in the hope of investigating what feels like a new business opportunity:
I actually intend to change cpa for my 2021 tax return, Would like to know if your firm is open to accept new clients for the next tax year, All my documents are completed, all I am yet to have is just my W2.
Kindly advise on how to proceed and if I can send forth all the available documents and whats are your fees for individual returns
[REDACTED]
Managing Director
(CPA is short for Certified Public Accountant, the US equivalent of what people in many Commonwealth countries refer to as a CA, or Chartered Accountant.)
On one hand, the fact that many scammers are avoiding links and attachment these days suggests that we are, as a digital society, learning to be more cautious before blindly believing in unsolicited websites or files.
On the other hand, we need to remember that engaging with a scammer in any way at all is the first step that any cybercrook wants to you take.
What to do?
Not least because it’s Data Privacy Week this week, and Data Privacy Day on Friday 28 January 2022, always keep in mind our simplest advice when deciding whether to engage with people you don’t already know online:
- Be aware before you share. Every little bit you give away about yourself makes it easier for a scammer to charm you, threaten you, or entice you into an online relationship you didn’t ask for in the first place.
- If in doubt, don’t give it out. If it feels like a scam, back yourself and assume that it is.
- No reply is a often good reply. Never feel compelled to reply out of politeness or completeness. It’s easier to stay out of a wheedler’s clutches if you don’t open the door for a reply-to-your-reply.
- Listen to friends and family. Especially when money is involved – whether it’s you sending it to a romance scammer who falsely claims to love you, or receiving it from newfound “business associates” who have fraudulently pitched you a “job” in their organisation.
Stay safe online, everyone!
“Managing Director” is a job title rarely if ever used in the United States. A big red flag for me.
Ah, I didn’t spot that… well, I did, but being non-American (and having started gainful employment before the job title ‘CEO’ took over in British English) it simply didn’t jar.
MD is a bit old fashioned as a job title these days but I’d say it’s not unusual here, especially for small, local companies where calling yourself “CEO” would sound weird, pretentious or both.
But why would someone use a company title of any kind when asking about tax services for filing a tax return for an individual? Form W2, and presumably the other forms you mention, are specifically for wages/salary individuals earn, not for business income. The request specifically asks “whats are your fees for individual returns”. Even if I were a CPA (I’m not) or someone in the business of doing tax returns (I’m not) I think I would trash that email as being highly suspect.
Or if you weren’t a CPA but were a helpful sort, you might reply just to be friendly…
…given that you might be fretting about your own CPA/W-2/tax return right now.
I didn’t find that particularly weird myself.. you can mention your job title in emails while still asking about stuff that is specific to you and not your company. (I’ve received plenty of emails in my time from people at work, from a company email address with all the corporate trimmings, in which they have expressed an interest in using our free tools at home.)
The word “fillings” in the subject line was the immediate giveaway to me.
My guess is that this person is after *any* response, perhaps especially the ones helpfully saying”I think you sent this to the wrong person”, as what you might call a “common cause” excuse for getting into an extended conversation.
Imagine how many crimes would be prevented, money saved from processing frees, the stress gone -if there were no more income tax/rebate system. Just .03% of your pay goes to taxes, no refunds, no paper work, no deadlines.
We keep improving IT, fixing bad processes and exploits. Tax systems should do the same.
Some countries are close to that system, at least for low earners and small businesses. IIRC, South Africa, for example, has a “small business” solution for local entrepreneurs: you can elect to pay tax on turnover (maximum rate is 3%), end of. Whatever profits you make, you keep. No VAT, no income tax, no capital gains tax, very little paperwork.