Tax form names in many countries have entered the common vocabulary, specifically abbreviations for the documents employers are obliged to provide their employees to show how much money they have earned – and most importantly, how much tax has been withheld and paid on behalf of employees.
For example, in the UK, the form name P45 Often used as a synonym for fired because this is the final tax summary you voluntarily or otherwise obtain when you leave.
In South Africa you will get a IRP5 At the end of the tax year – an old term we guessed at is acronym Tax/Personal, Form #5, although the South African Revenue Service has not been known as the Revenue Authority for almost 25 years.
In the US, the income statement is W-2, shortage Payroll and Tax Statements, 2nd Edition. (It seems there used to be a W-1 form, but it was superseded in the 1950s.)
At Naked Security, we know the names of these forms, and many others, because they appear frequently in tax scam emails, presumably to give the messages an air of realism.
In any case, given that it’s the last week of January and thus the start of US tax filing season, we’re not surprised to receive a tax-related scam email today and see the explicit mention of the W-2 form.
However, we are intrigued by the “less is more” nature of today’s phishing messages: there is no traditional call to action, just a simple request for more information.
Phishing without links
Typically, when we write about tax scams, we warn about traditional phishing campaigns designed to trick you into “logging in” to fake websites where your tax office account details and passwords can be captured by cybercriminals.
Sometimes scammers use high-pressure tactics to warn you that you could get into trouble if you don’t act right away (who wants to be audited by the tax office?); however, such scams often rely on the lure of a refund, as we were once Received this one via text message years ago:
However, as regular readers know, quite a few cybercriminal groups these days are moving away from pure “technical hacking” such as email scams that rely entirely on you to click on fake links.
Instead, many cybercriminals are taking the “human-led” approach that has served criminals such as prepaid fee fraudsters and romance scammers for years.
For example, ransomware scammers used to rely heavily on spamming links or attachments that drop ransomware directly, automatically catching hundreds or thousands of unique victims at a time, and then demanding anywhere from $300 to $1,000 to anyone attacked .
Today’s human-led approach means that while ransomware criminals still rely on disrupting hundreds or thousands of computers in a single attack, it’s rare for any apparent or widespread spam campaign to reveal an attack in advance.
Learn more about how modern cybercriminals attack
Click and drag the sound waves below to jump to any point in the podcast.
you can also listen directly On Soundcloud, or read the full transcript of the recording.
These days, ransomware criminals typically break into (or make their way into) your network very quietly and then carefully plan a manually coordinated and launched attack to accommodate the crooks and put you at a disadvantage.
Likewise, tech support scammers are increasingly reliant on convincing you to call them, rather than bombarding the world with spam links or phishing attachments and then trying to filter out the people or computers that seem to respond.
Many victims are willing to call the scammers back — they usually provide a handy toll-free number, so it won’t even cost you anything — because it feels like a low-risk approach.
After all, hackers can’t push malware directly onto your computer or inject exploits into your browser if you’re just talking to them.
Of course, scammers will use this to their own advantage, usually by giving you a level of personal attention and hand-holding that you’d expect from other IT vendors…
…at this point, criminals don’t need to exploit vulnerabilities to run code on your computer because they’ll help you and patiently convince you to do the job yourself: they’re secretly tricking you into making cybersecurity for themselves The problem is repaired under the guise of one.
A little courtesy goes a long way
Tax scammers today have done a “let’s ask” job, carefully avoiding links and attachments, and presumably hoping that someone on their mailing list would be willing to reply, in hopes of investigating what feels like a new business opportunity:
I’m actually planning to change the cpa for my 2021 tax return, wondering if your company is willing to accept new clients for the next tax year, all my paperwork is done, all I have is my W2.
Please advise how to proceed and if I can send all available documents and what is your personal return fee
[REDACTED]
managing Director
(CPA is CPA, the U.S. equivalent of what people in many Commonwealth countries call CA, or Chartered Accountant.)
On the one hand, the fact that many scammers are avoiding links and attachments these days shows that, as a digital society, we are learning to be more cautious before blindly trusting unsolicited websites or files.
On the other hand, we need to remember that dealing with scammers in any way is the first step any cyber scammer wants you to take.
what to do?
Especially since this week is Data Privacy Week and Data Privacy Day on Friday, January 28, 2022, when deciding whether to interact with people you don’t know online, always keep our simplest advice in mind:
- Please note before sharing. Every bit of information you reveal makes it easier for scammers to lure you, threaten you, or lure you into an online relationship that you didn’t ask for in the first place.
- If in doubt, don’t give it. If it feels like a scam, stand by yourself and assume it’s a scam.
- No reply is usually a good reply. Never be forced to reply because of politeness or completeness. If you don’t open the door to reply to your reply, it’s easier to stay out of the clutches of scammers.
- Hear from friends and family. Especially when money is involved – whether you’re sending it to a romantic scammer who falsely claims to love you, or receiving it from a newfound “business associate” who cheats in their organization Sexually sells you a “job”.
Be safe online everyone!
