Cybercriminals are taking advantage of the tax season to trick businesses into downloading malicious files, according to cybersecurity researchers from IBM’s X-Force.

The researchers discovered several ongoing tax-related campaigns, three of which in particular were targeted at businesses.

The detected emails are designed to appear to be part of a longer conversation that had been forwarded on to the recipient. The subject line suggests that some kind of tax record is attached and encourages the user to click on a Microsoft excel attachment.


Read more: That Word document you just downloaded might contain malware


The attached files were commonly used to deliver the TrickBot malware strain through an embedded macro. TrickBot is designed to spread to other computers on the network once it infects a system, stealing valuable data, such as financial information and banking details, as it goes.

These campaigns were designed to imitate large financial services, including payroll services ADP and Paychex. Address spoofing techniques were used to make these emails appear to be from the firm that they claimed to be from. However, further analysis showed that the campaigns were being conducted using free webmail services. Email signatures complete with contact details were also present to further the appearance of legitimacy.

IBM X-Force researchers noted that the campaign was more sophisticated than previous tax campaigns that it has seen, suggesting there is a complex cybercriminal organisation behind it. Likewise, similarities between the three campaigns suggest that they are all being carried out by one actor.

Cybercriminals are increasingly turning to spear phishing – highly-personalised email attacks that target specific targets – to catch out businesses, and brand impersonation is the most common method used. Barracuda’s Spear Phishing: Top Threats and Trends Report recently found that brand impersonation is used in 83% of spear phishing attempts.

TrickBot: Targeting businesses during tax season

Businesses are currently rushing to meet the 15 April deadline and face fines if they fail to submit a return on time. Hoping to capitalise on any last-minute panic, this presents a potentially lucrative opportunity for cybercriminals.

Activity from one of the campaigns looked was first detected on 27 January, soon after the tax season started in the United States. This is typically when businesses begin to prepare for the deadline and begin generating employee payroll information. Two further campaigns started in early March, around a month ahead of the deadline.

The researchers acknowledged that it is often difficult to assess the intended target of such campaigns. However, emails were delivered during business hours, generally between 11:45am and 3:45pm Eastern Standard Time (EST), showing that US businesses were the likely target.

Cyberescurity firm Proofpoint have issued a similar warning to businesses in the UK, having spotted a brand impersonation campaign which mimics Gov.co.uk, HMRC and IRS email addresses to trick businesses into clicking on malicious links.

3 Things That Will Change the World Today


Read more: London Blue scammers target Asia with BEC campaigns