March 2, 2017

Tax-themed threats continue to spread during the tax season

Roland Dela Paz Security Researcher

Since late last year, multiple warnings have been issued to the public regarding tax-related fraud campaigns. Last month, a warning was issued to Northwich residents in the UK regarding a HM Revenue & Customs (HMRC) phishing scam, while the Internal Revenue Service (IRS) issued a similar warning to US tax payers.

Forcepoint Security Labs™ have observed a similar trend in our telemetry. Small to medium-sized tax-themed email campaigns have constantly appeared since the start of this year. 

For instance, just last week, our telemetry captured the following phishing email sent to some 700 recipients from the UK:

Clicking the hyperlink in the email then leads to the following phishing site:

Entering your details then leads to another page asking for more personal information:

Ultimately, this leads to the crooks not only obtaining victims' personal information but also their credit card details:


Similar campaigns with different themes were also observed. The following email pretends to come from the United States IRS commissioner, John Koskinen, as a social engineering attempt to lead users to phishing and fraudulent activities:

Meanwhile, another campaign targeted Australian users and used the Australian Taxation Office as a phishing bait:

The following chart shows the trend of tax-themed malicious emails from January 1, 2017 up to February 28, 2017. A huge spike can be observed from earlier this week:

The top 50 top-level domain (TLD) of the email recipients provides us an insight to the targeted regions and verticals:

In the above pie chart, we can see that United Kingdom is the most targeted, followed by Australia. Ireland, United States, France and Canada also appeared the top six most targeted regions. Additionally, the Government and Education sectors can be seen being targeted, albeit in smaller numbers.

Protection statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

Stage 2 (Lure) - Malicious emails and phishing sites associated to tax scams are blocked


Given their financial status, tax payers are attractive targets for cyber criminals and this may explain why tax-related threats are prevalent today. It is also important to note that, aside from phishing and fraud, tax-themed malicious emails are also heavily used for spreading malware.

Users can avoid falling victim to such scams by keeping themselves updated with public warnings and being vigilant on activities concerning taxes. Tax-related processes are typically documented on government websites and any activities outside that, especially those requiring extensive personal information, should serve as a red flag. Furthermore, tax payers can always reach out to their local government to verify a tax-related activity, if unsure of its source.

The following are government websites that can be used as reference for preventing tax-related threats.

HM Revenue & Customs


Internal Revenue Service


Australian Taxation Office


About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.