Beware: TrickBot Malware Is on the Rise for Tax Day

Tax Day is coming up on April 15th, and cyber criminals are out to seek profit at many victims’ expense. A tax theme malware called TrickBot is being sent to inboxes, the hackers impersonating payroll providers like Paychex and ADP and sending malware infected Excel documents to their recipients.

TrickBot works by exploiting network vulnerabilities to essentially enter and steal sensitive information such as passwords and bank account details in order to file fraudulent Tax forms to receive returns. Scams caused by TrickBot have cost the IRS over a million in losses back in 2016.

Researchers from IBM X-Force noted how cyber criminals are using domains that look highly similar to actual payroll providers in order to deceive recipients into thinking the email is from a legitimate source.

IBM global executive security advisor Limor Kessem stated how “this campaign [is] highly targeted in its efforts to infiltrate US organizations,” and the threat from TrickBot doesn’t look like it’ll cease. Kessem continues on by explaining that “TrickBot [is] one of the most prominent organized crime gangs in the bank fraud arena, [so] we…expect to see it maintain its position on the global malware chart, unless it is interrupted by law enforcement in 2019.”

Before clicking on any email link, it is highly advised to double check the legitimacy of the email by looking closely at the sender information. Hovering over an email link also allows you to check on where the URL leads before you actually click on it; just check the small window that pops up above the link to make sure the site is safe.

IRS Warns Tax Professionals About New Waves of Attack


We’re quickly approaching the October 17th deadline for tax extension filers, and with deadlines come an increase of fraudulent activity.  The Internal Revenue Service warned tax pros of a new attack brought on by identity thieves, where they remotely take over the practitioner’s computer. Additionally, they are warning professionals
and individuals about fake tax bills being sent via email.

The IRS is urging tax professionals to immediately review their security settings. They should check software settings and enact all security measures, notably those settings that require usernames and passwords. Also, pay attention to suspicious emails and remember that the IRS does not communicate via email or social platforms.

There have been approximately two dozen cases in the last 30 days, but there is no doubt the number is higher since the warning was released earlier this month. The IRS, state tax agencies and the industry are collectively working together on a recently launched campaign, Protect Your Clients; Protect Yourself. This campaign was launched as part of the Security Summit effort to increase awareness of targeted crimes against tax professionals and their taxpayers data.  

IRS Commissioner John Koskinen‎ says, “This latest incident reinforces the need for all tax professionals to review their computer settings as soon as possible. Identity thieves continue to evolve and look for new areas to exploit, especially as our fraud filters become more effective. The prompt identification of these attacks is another example of the great benefits that result from the close‎ working relationship the IRS now has with the tax industry and the states through the Security Summit initiative. Information is flowing more rapidly between our groups as we continue our efforts to protect taxpayers.”

In regards to fake emails with fraudulent versions of CP2000 notices for the 2015 tax year. While the real version of these notices are quite common via USPS, the IRS does not contact via email.  If you receive a notice, they are instructing that you forward it to phishing@irs.gov and following that, immediately delete it from your email.

Read over the following indicators:

  • These notices are being sent electronically, even though the IRS does not initiate contact with taxpayers by email or through social media platforms;
  • The CP2000 notices appear to be issued from an Austin, Texas, address;
  • The underreported issue is related to the Affordable Care Act (ACA) requesting information regarding 2014 coverage;
  • The payment voucher lists the letter number as 105C.

Below are the following steps the IRS urges tax professionals to take in addition to initial security measures:

  • Run a security “deep scan” to search for viruses and malware;
  • Strengthen passwords for both computer access and software access; make sure your password is a minimum of eight digits (more is better) with a mix of numbers, letters and special characters and change them often;
  • Be alert for phishing scams: do not click on links or open attachments from unknown senders;
  • Educate all staff members about the dangers of phishing scams in the form of emails, texts and calls;
  • Review any software that your employees use to remotely access your network and/or your IT support vendor uses to remotely troubleshoot technical problems and support your systems. Remote access software is a potential target for bad actors to gain entry and take control of a machine.

The IRS reminds users to always be aware of unsolicited emails, especially those that claim to be from the IRS. Never open attachments or click links within emails if you don’t know where they’re from. Oftentimes such files can be loaded with malware or be part of a phishing scam.