Threat actors are attempting to compromise Social Security numbers with a tax phishing attack targeting small business owners and self-employed workers.
Worryingly, the social engineering scammers they probably operate with little more than a cheap email list of self-employed US residents, according to the latest warning from Malwarebytes Labs. The report points out that these emails could be acquired for as little as a couple of cents a piece, both on the Dark Web and from legitimate lead brokers.
The initial phishing email offers a simple link to request the Federal Employee Identification Number (EIN) or Taxpayer Identification Number needed for small businesses or self-employed individuals to file U.S. federal income taxes by April 15 .
Once the victim clicks on the link in the email, they are asked to enter numerous personal information, including a Social Security number, researchers explained.
“A compromised Social Security number represents a serious problem,” the report adds. “Adding a person’s SSN to scammers’ data could create many more opportunities for identity theft and fraud,” Malware Labs said in its report.
The IRS issues both EINs and Taxpayer Identification Numbers for free, however, cyber attackers saw an additional opportunity to squeeze some extra money out of their targets.
“The scammers here have the audacity to charge you for your tax identification number, even though requesting an employer identification number (EIN) is a free service offered by the Internal Revenue Service,” the team said.
Avoid tax cyber scams
Tax scams such as these are common in the run-up to submission deadlines, and raising the alarm is key to stopping their spread, according to report author Pieter Arnzt, an intelligence researcher at Malwarebytes.
“Awareness is key here. When people are aware that these scams exist, they are more likely to pay attention,” Arnzt said in an emailed statement. She advised users to keep the following in mind as the tax deadline approaches:
-
Double check the source of the email
-
You know the rules. EIN is a free service offered by the IRS and does not ask for personal information via email, text, or social media channels
-
Do not contact the IRS by clicking on advertisements or search results. Instead, contact us directly by typing the known legitimate address into your browser
-
Check the URL in your browser’s address bar against the legitimate one
“The most important thing is not to make hasty decisions,” Arnzt said. “The scammers’ favorite technique is to impose a sense of urgency and prevent the victim from thinking things through.”