Threat Research

Beware the Tax Scam Tsunami: Unmasking QR Code schemes, Bogus Refunds and AI imposters – Check Point Blog

Securonix

Tax-season phishing campaigns are escalating with QR-code schemes, fake refunds, and AI-assisted imposters designed to steal credentials and money. Check Point Research outlines campaigns impersonating IRS/HMRC, malicious PDFs, fake domains, and dark-web markets trading tax documents to illustrate the growing threat during tax time. #IRS #HMRC

Keypoints

  • Tax season is exploited by phishing and QR-code schemes to steal data and funds.
  • The Tax QR Code Attack impersonates the IRS, using a malicious PDF and device-aware redirects to install malware and steal credentials.
  • Australia and the UK see campaigns impersonating tax authorities (ATO, HMRC) with fake rebate notices and credential requests.
  • Dark web markets trade legitimate W-2 and 1040 forms, sometimes at low prices and in bulk.
  • Fraudsters offer refunds to bank accounts and even sell remote desktop access to tax services.
  • Check Point researchers show AI-assisted phishing via ChatGPT-tuned emails and call scripts to enhance tax scams.

MITRE Techniques

  • [T1566.001] Spearphishing Attachment – The PDF impersonates an IRS document to lure victims into opening malicious content. ‘The PDF file seemingly impersonates an official IRS correspondence, which informs the victim that there are documents awaiting them.’
  • [T1566.002] Spearphishing Link – The QR code in the document redirects to multiple malicious sites with conditional routing based on device. ‘At the bottom of the document, there’s a QR code, which leads to several different malicious websites.’ ‘The QR code undergoes what we call conditional routing. In these attacks, the initial ask is similar, but where the redirection chain goes is quite different.’
  • [T1036] Masquerading – The PDF impersonates an official IRS document to deceive victims. ‘The PDF file seemingly impersonates an official IRS correspondence…’
  • [T1567.002] Exfiltration Over Web Services – Dark web market trades and sells sensitive tax documents (W2/1040) to criminals. ‘These documents are being sold for as high as $75 a pop, although some are offering bulk discounts as low as $10. One hacker even offered a giveaway of 50 1040 and W2 forms.’
  • [T1021.001] Remote Services – Hackers buy and share remote desktop privilege access to popular tax services. ‘Hackers are buying and giving away remote desktop privilege access to popular tax services.’
  • [T1566] Phishing – AI-generated phishing content and prompts demonstrate how AI can craft convincing tax scam emails. ‘Last year, Check Point researchers prompted ChatGPT to produce the text of an email that contained tax scam language…’

Indicators of Compromise

  • [Domain] Tax-scam domains used to impersonate tax agencies – ukrefund.tax, compliance-hmrc.co.uk, and 3 more domains
  • [Domain] Additional malicious domains cited in campaigns – gnvatmyssll.online, 1w7g1.unisa0.com, and 2 more domains

Read more: https://blog.checkpoint.com/security/beware-the-tax-scam-tsunami-unmasking-qr-code-schemes-bogus-refunds-and-ai-imposters/