While the IRS filing deadline may have been extended to July 15, that hasn’t dissuaded cybercriminals from leveling tax-related phishing attacks.
According to a Valimail report, 78 percent of organizations they analyzed are not protected with Domain-based Message Authentication, Reporting and Conformance (DMARC) at enforcement, which leaves them vulnerable to impersonation-based tax scams.
Valimail analyzed the public Domain Name System (DNS) record for 200 domains that it said were most likely to be impersonated for tax fraud, including the 2019 Fortune 100, the Department of State’s Department of Revenue, Federal tax agencies, and major tax preparation services. The majority of those domains were vulnerable to phishing, business email compromise, and W-2 or personal information scams.
The report largely focused on whether organizations were using DMARC and Sender Policy Framework (SPF) records. While the vast majority of organizations did not have DMARC set to enforcement, the report did find that 91 percent of domains have SPF records. Valimail said that this “indicates a willingness to implement email authentication,” but it did not indicate that SPF doesn’t protect domains from phisher spooking the “From:” field in emails. “Without DMARC at enforcement, attackers are able to spoof these organizations’ domains and initiate convincing tax-related phishing attacks,” Valimail explained.
In terms of how the public and private sectors performed, the Federal government came out on top with state tax agencies being the most vulnerable. Five out of the six Federal agencies surveyed are protected with DMARC at enforcement – in line with the 2018 Homeland Security Binding Operational Directive 18-01. The report noted that the only Federal domain, which was for a Congressional committee, not set to enforcement is because the email domain designated to receive DMARC aggregate reports isn’t “configured properly.”
However, the majority of state tax agencies surveyed – 49 out of 55 – are either missing DMARC records or don’t have DMARC policies at enforcement. In the public sector, 44 percent of tax preparation services analyzed are protecting with DMARC at enforcement, while 77 of the 2019 Fortune 100 are not protected at enforcement.
Alexander García-Tobar, CEO and co-founder of Valimail, said that the ongoing COVID-19 pandemic leaves individuals more exposed to phishing and other scams. He explained that cybercriminals have often capitalized on major events – such as tax season – to launch their phishing attacks.
“However, we are in a unique position today: Not only is it tax season, but the COVID-19 pandemic has forced U.S. legislators to take aggressive actions to limit social interactions, and as a result, many recently out-of-work individuals are facing lost wages,” he explained. “These individuals may be counting on a quick tax return, or they may be confused about the recently changed tax filing deadline.” He continued, “This makes people all the more susceptible to convincing tax scams, and cybercriminals are always willing to take advantage of uncertainty. Unfortunately, organizations that do not have DMARC records at enforcement are an easy target for criminals who use spoofing to launch highly convincing tax-related scams aimed at consumers or these companies’ own employees.”