New phishing study looks at what kinds of scam emails work. Source: Shutterstock.

Tax refunds and stimulus checks may help individuals stem the tide of lost wages but also put them in the crosshairs of cybercriminals using scams to take advantage of distracted people in these distracting times.

The San Francisco-based, identity-based anti-phishing solution provider Valimail released findings from its “2020 Tax Scam Report,” which analyzed the public domain name system records for 200 domains likely to be impersonated for tax fraud, including the 2019 Fortune 100 (some of the largest U.S. employers), U.S. states’ departments of revenue, federal tax agencies and well-known tax preparation services. Valimail discovered the majority of these organizations lack adequate protection against email-based scams including phishing, business email compromise and W-2/personal information scams.

The report noted, “With the current coronavirus pandemic, many individuals are facing lost wages and may be counting on a tax refund or hoping for a government stimulus check to soften the blow.” Additionally, changes to federal and state tax payment deadlines, such as the recent federal filing extension to July 15, may cause confusion and make it difficult for individuals to stay on top of what is truly required of them. “The fear and uncertainty make people all the more susceptible to tax scams, and cybercriminals are unfortunately all too happy to take advantage.”

Valimail’s analysis focused on the presence and validity of domain-based message authentication, Reporting and Conformance (DMARC) and Sender Policy Framework records. An analysis showed 78% of the organizations either lack DMARC records or has an unenforced DMARC policy. However, 91% of the domains have SPF records, which indicated a willingness to implement email authentication — although SPF does not protect domains from phishers spoofing the “From:” field. Without DMARC at enforcement, attackers can spoof these organizations’ domains and initiate convincing tax-related phishing attacks.

“Threat actors have historically used major events to enhance their phishing attacks, and tax season is no exception,” Alexander García-Tobar, CEO and co-founder of Valimail, said. “However, we are in a unique position today: Not only is it tax season, but the COVID-19 pandemic has forced U.S. legislators to take aggressive actions to limit social interactions, and as a result many recently out-of-work individuals are facing lost wages.” Tobar added, these individuals may be counting on a quick tax return, or they may be confused about the recently changed tax filing deadline. “This makes people all the more susceptible to convincing tax scams, and cybercriminals are always willing to take advantage of uncertainty. Unfortunately, organizations that do not have DMARC records at enforcement are an easy target for criminals who use spoofing to launch highly convincing tax-related scams aimed at consumers or these companies’ own employees.”

Additional key findings from Valimail’s tax scam report included:

  • State tax agencies are the most vulnerable to domain spoofing: 49 of the 55 agencies analyzed are either missing DMARC records or do not have DMARC policies at enforcement.
  • Five out of the six federal agencies analyzed are protected with DMARC at enforcement, underscoring the effectiveness of practices outlined in the “2018 Homeland Security Binding Operational Directive 18-01.”
  • Of 16 tax preparation services analyzed, just 7 (44%) had DMARC protection at enforcement.
  • Seventy-seven of the 2019 Fortune 100 do not have DMARC protection at enforcement.

According to Valimail, the low overall rate of DMARC enforcement indicated that there is much work to be done to eliminate tax-related fraud and identity theft caused by domain spoofing and phishing.

The report also noted every year, the IRS publishes a list of tax-related scams and types of cyberattacks to be wary of during tax season. Phishing has been on that list, known as “the dirty dozen,” every year since 2006. While the types of attacks continue to evolve, many of them use the same underlying strategy found in many industries: Impersonate a legitimate government or corporate entity, and trick the target into releasing money or valuable sensitive information.