Skip to main content

Emotet malware impersonates IRS as 2022 tax season approaches

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

As the 2022 tax season nears, numerous active phishing campaigns have been discovered impersonating the IRS to steal people’s sensitive data, and potentially - money.

One such campaign was just recently spotted by cybersecurity researchers from Cofense, which found threat actors pretending to be the Internal Revenue Service (IRS), sending out emails with tax forms and federal returns.

In most cases, the emails carry false 2021 Tax Return forms, W-9 forms, or other tax documents that are commonly being distributed this time of the year. These documents, either Word files, or Excel files, carry malicious macros, and if triggered, will download the Emotet malware.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window <<

Spreading ransomware

Emotet has multiple functions, with two most basic ones being - to spread to more machines via email; and to deliver stage-two malware. Cofense says that these days, Emotet is mostly used to deliver Cobalt Strike, ransomware payloads, or SystemBC remote access Trojan. When it infects a machine, it will try to weasel its way into the inbox, and use existing email threads to re-distribute itself without raising suspicion. 

Of these threats, ransomware seems to be the most obvious one, given that Emotet is being developed by the Conti Ransomware group.

The best way to protect against these attacks is to be vigilant when opening emails or downloading attachments. The IRS never sends unsolicited emails, and will only correspond through the postal service. 

When receiving emails with attachments, or links, it is important to double-check the sender’s name and address, because that’s often the first place where a red flag can be noticed. Also, typos, poor English, and a mismatch in visual identity, can also be clues to a potential phishing attack. And finally, hovering over a hyperlinked keyword in an email gives away its actual address.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.