Tax Season: Online Threat and Scam Alert!

Not to scare you, but WATCH OUT! There are over 1 Million blacklisted tax filing apps online.. some even say “H&R Block” on them, so extreme caution is a must when filing taxes! The purpose of this article is to share research and actual examples to better inform you.

Every year, when income tax season rolls around in the United States, it also means that it’s income tax scam season. The IRS again expects that more than nine out of ten tax returns will be prepared electronically this year using tax return preparation software. For cybercriminals, this means a windfall of potential victims. With people eager and emotionally invested in getting their hands on a tax return, these criminals are happy to exploit the convenience of popular e-filing systems such as H&R Block and TurboTax via phishing pages and fake mobile apps. Attackers are capitalizing by using the brand names of leading accounting firms and tax filing software to exploit users filing their taxes by creating fake mobile apps and landing pages to fool consumers into downloading malware, using compromised sites, or giving up their login credentials and credit card information. To analyze the methods threat actors will employ this tax season and where they’re targeting their malicious efforts, RiskIQ ran a keyword query of the RiskIQ Global Blacklist and mobile app database* looking for instances of terms related to the IRS and the brand names of ten of the leading tax filing software. For our research into web properties, we looked for domain infringement and phishing events for each of the tax filing services in blacklisted URLs or cause-page URLs (pages that send users to a page hosting something malicious). The findings confirmed that threat actors are using these well-known brands specifically to exploit tax season via both web and mobile.

Mobile Findings

Most official mobile apps for filing taxes are very secure — they do not store any data on a customer’s phone or device and have a host of additional security features, including password protection, multi-factor authentication, and Touch ID account authentication. However, there is a sea of fake mobile apps impersonating well-known online tax filing services that exist to fool consumers into downloading them that may be capable of stealing sensitive data or infecting them with malware or annoying adware. This mobile app impersonates an H&R Block application. The screenshot looks convincing, but it is relatively easy to tell that it’s malicious:

This H&R Block app seems perfectly legitimate in the app store, even garnering several positive reviews and ratings. However, if you look closely there are a few red flags — including the app store itself
This mobile app impersonates an H&R Block application.

First of all, there’s no developer listed for the app, which is an enormous red flag. Also, the app is hosted on the Ninestore app store, which is not a reputable store. Finally, the app requires far too many permissions that are incredibly intrusive and have nothing to do with the purported functionality of the app. These permissions include the ability to access the camera, record audio, download data without notification, and change settings. Essentially, this app can spy on everything a user does, even if they are not actively using their phone, change any setting on their phone, and download anything it wants without the user’s knowledge. While RiskIQ sees the majority of malicious applications hosted on third-party app stores, official stores run by Apple and Google have also been observed hosting malicious apps. For instance, the Google Play store led the way in hosting blacklisted apps found by RiskIQ in Q4 2018. It’s important to realize that protection by most mobile app stores is good, but not bulletproof, This H&R Block app seems perfectly legitimate in the app store, even garnering several positive reviews and ratings. However, if you look closely there are a few red flags — including the app store itself. This mobile app impersonates an H&R Block application. and even the official app stores host apps that can be dangerous. In the United States, malicious mobile apps for the IRS and tax filing services are common, but UK citizens are targeted as well. The blacklisted app hosted in the Google Play store, claims to be a helpful tax calculation software, but in reality, phishes information from users:

The app requests a very extensive list of information that could allow the attacker to take complete control of the victim.

The app requests a very extensive list of information that could allow the attacker to take complete control of the victim. Fortunately, there are ways to help reduce digital risk while choosing a mobile app for filing your income taxes. f Ensure that you are only downloading apps from official app stores such as Google or Apple. Be wary of applications that ask for suspicious permissions, like access to contacts, text messages, administrative features, stored passwords, or credit card info. Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can merely indicate a threat actor was successful in fooling a lot of victims. Before downloading an app, be sure to take a look at the developer — if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation. Make sure to take an in-depth look at each app. New developers, or developers that leverage free email services (e.g., @gmail) for their developer contact, can be big red flags — threat actors often use these services to produce mass amounts of malicious apps in a short period. Also, poor grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.

Web Findings

Because corporate attack surfaces are changing, threat actors are also changing their methods. Since business has moved many critical financial and data transactions beyond the firewall to the open internet, attackers are following suit, directly scamming end-users with high-volume phishing and domain infringement campaigns. These attacks are cheap to execute, and they are proving to be incredibly efficient in breaching sensitive data. In 2018, RiskIQ detected approximately 1,251,936 unique phishing hosts, or nearly 3,500 a day, and a recent query of the branded terms of 20 Fortune 100 companies in my company, RiskIQ’s domain infringement detection revealed 37,000 probable instances of domain infringement over two weeks or 1,850 incidents per brand.

  • Overall, my teammates at RiskIQ found 1,235 instances of phishing targeting online tax filers and 468 Blacklisted URLs.
  • For one of the most common e-filing services, we found more than 19,500 instances of domain infringement targeting them!

The phishing page shown to the left detected via RiskIQ machine learning is a copy of an online IRS form for updating electronic tax information. The hostname, ‘e-filing,’ and the domain, ‘services,’ make for a clever combination that could easily trick users into thinking they’re on the official IRS website. The page asks for a wealth of personal, highly sensitive information including name, occupation, employer, social security number, address, and tax PIN. To combat phishing and domain threats, RiskIQ processes tons of web-related threat data every day. From various sources, we receive URLs which might be indicative of threats, which we process through our crawling infrastructure and feed through our machine-learning technology to classify each detected phishing page appropriately.

How can you protect yourself while filing your taxes online?

Protect and secure any physical device on which they are preparing taxes with firewalls, anti-virus software, and anti-spyware software. Use a trusted wifi network or VPN to file your taxes — never use public Wi-Fi. Before filing your taxes, answer these four questions:

  1. Who owns the site?
  2. Are they reputable?
  3. How long has it been around?
  4. Did I ask to be sent here?

To get more information about Tax Day threats or learn more about our research or the data used in this report, visit our blog or contact the RiskIQ research team at

Managing Partner, Hightide Advisors ( 2x CEO, 2x COO. Company builder, GTM & Biz Dev Expert, marathoner, Former IDF Sniper.