Full Report
Artificial Intelligence has supercharged an array of tax-season scams this year, with fraudsters using deepfake audio and other techniques to trick taxpayers into sending them money and financial documents.
Analysis Summary
# Tool/Technique: AI-Enabled Voice Phishing (Deepfake Audio)
## Overview
The use of generative AI and deepfake audio technology by cybercriminals to impersonate trusted figures, such as tax preparers, accountants, or IRS agents, in order to deceive victims into divulging sensitive financial information or funds during tax season.
## Technical Details
- Type: Technique/Attack Methodology enhancement
- Platform: Voice communication channels (phone calls) and potentially video platforms.
- Capabilities: Creating highly convincing, personalized audio impersonations; scaling scam operations; increasing the believability of social engineering attacks.
- First Seen: Mentioned as a "worrying update" for the current tax season (implied recent acceleration).
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Can be used in conjunction with AI-generated emails)
- T1566.002 - Spearphishing Link (Can be used to direct victims after voice engagement)
*Note: While direct deepfake voice is an emerging threat, its core purpose aligns with classic phishing/social engineering.*
## Functionality
### Core Capabilities
- Voice replication: Mimicking the voice of a known individual (tax preparer, family member, IRS agent).
- Impersonation: Luring victims over the phone by sounding like a trusted official.
- Information Harvesting: Prompting victims to hand over sensitive financial information, Social Security numbers, or tax credentials.
### Advanced Features
- **Scalability and Believability:** Generative AI enhances the realism and volume of social engineering attacks.
- **Contextual Lures:** Using previously stolen personal information to lend credence to the scam scenario (e.g., referencing specific tax issues).
## Indicators of Compromise
- File Hashes: N/A (Focus is on real-time audio interaction)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Phone numbers associated with the calls can be indicators if tracked; C2 infrastructure for the generative AI pipeline is generally obscured or not reported here.
- Behavioral Indicators: Urgent demands for information over the phone; requests to create or access online IRS accounts by the caller; high-quality voice impersonation.
## Associated Threat Actors
- General cybercriminals exploiting tax season lures.
- Threat actors looking to scale phishing operations.
## Detection Methods
- Signature-based detection: Not directly applicable to real-time audio unless specific audio artifacts are identified.
- Behavioral detection: Analyzing call duration, unusual time of contact, and deviation from known communication patterns of legitimate organizations (e.g., the IRS generally does not initiate contact via unexpected phone calls demanding immediate credentials).
- YARA rules: Not applicable.
## Mitigation Strategies
- Verify identities through secondary, secure channels (e.g., call back the known accountant/office number, do not use numbers provided by the caller).
- Refuse any demands that sound urgent, whether via phone or email.
- Be wary of requests to share Social Security numbers or tax credentials over an unsolicited call.
- Utilize reverse image/video search tools (though less useful for pure audio, the principle of verifying content integrity applies) and look for inconsistencies in communication details.
## Related Tools/Techniques
- Deepfake Video Generation (mentioned as a related adversarial use case).
- Voice Cloning Software (Underlying technology).
***
# Tool/Technique: AI-Generated Phishing Emails (Tone/Style Mimicry)
## Overview
Cybercriminals are leveraging generative AI to create highly convincing, targeted phishing emails that accurately mimic the tone, style, and language often associated with official IRS communications or trusted third parties like tax advisors.
## Technical Details
- Type: Technique/Attack Methodology enhancement
- Platform: Email (SMTP)
- Capabilities: Creating highly accurate text-based lures; increasing open and click-through rates; personalization at scale.
- First Seen: Accelerated deployment observed during the recent tax season.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1566.003 - Spearphishing via Service
## Functionality
### Core Capabilities
- Generating emails with subject lines designed to evoke urgency or concern (e.g., "Notice: IRS Has Flagged Issues with Your Tax Filing").
- Mimicking the specific jargon and tone of IRS or tax professional correspondence.
### Advanced Features
- Creating malicious PDF attachments often containing QR codes that link to malware.
- Targeting specific organizational sectors heavily involved in tax filing (Engineering, IT, Consulting).
## Indicators of Compromise
- File Hashes: Malicious PDF attachments linked to QR codes (specific hashes not provided).
- File Names: IRS-related file names used for attachments.
- Registry Keys: N/A
- Network Indicators: C2 servers reached via QR code links (defanged).
- Behavioral Indicators: Emails appearing legitimate but containing embedded QR codes rather than direct links or attachments requiring immediate action.
## Associated Threat Actors
- Threat actors running large-scale phishing campaigns targeting US organizations and CPAs.
## Detection Methods
- Signature-based detection: Identifying known malicious attachment hashes; scanning for known malicious URLs found via QR code scanning.
- Behavioral detection: Flagging emails from external senders claiming urgent IRS action, especially those containing embedded QR codes leading to external sites.
- YARA rules: Applicable for detecting specific text strings or attachment structures common in these campaigns.
## Mitigation Strategies
- Mail gateway scanning for known malicious content.
- User training to inspect sender authenticity, scrutinize urgency, and avoid using embedded QR codes in unexpected emails.
- Restricting executable content or blocking access to strange URLs embedded via QR codes.
## Related Tools/Techniques
- AI-Enabled Voice Phishing (Shared goal of high social engineering effectiveness).
***
# Tool/Technique: SEO Poisoning / Typosquatting for Tax Scams
## Overview
Cybercriminals are exploiting search engine optimization (SEO) to elevate counterfeit websites in search results or relying on typosquatting (registering slightly misspelled domain names) to trick users searching for legitimate tax services (e.g., H&R Block) or specific topics (e.g., "Trump tax refund").
## Technical Details
- Type: Technique/Infrastructure Camouflage
- Platform: Web Browsers
- Capabilities: Creating visually convincing spoofed platforms/websites; misleading search engine results to drive traffic to malicious sites.
- First Seen: Described as a "tried and true" scheme seeing novel variations.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.004 - Phishing via Link to Malicious Site
- T1583.001 - Domains (Used for registration of typosquatted sites)
## Functionality
### Core Capabilities
- **SEO Poisoning:** Manipulating search rankings to ensure counterfeit sites appear near the top for relevant tax searches.
- **Typosquatting:** Registering domains closely resembling legitimate tax company names.
- **Credential Harvesting:** Collecting login credentials, Social Security numbers, and financial details via the fake sites.
### Advanced Features
- Combining fraudulent search results with the general climate of confusion during tax season.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Domains used for phishing sites (defanged); specific IPs hosting the counterfeit sites.
- Behavioral Indicators: Users navigating to highly similar, non-official tax filing domains.
## Associated Threat Actors
- Cybercriminals focused on large-scale identity and financial theft during tax season.
## Detection Methods
- Signature-based detection: Blacklisting known malicious/typosquatted domains.
- Behavioral detection: Monitoring DNS requests for newly registered, high-similarity domains associated with tax services.
- YARA rules: Not applicable.
## Mitigation Strategies
- Users must use bookmarked or directly typed URLs for sensitive financial sites.
- Organizations should monitor brand space for typosquatting attempts.
- Use robust DNS security extensions to validate TLD integrity.
## Related Tools/Techniques
- Credential Dumping (The likely ultimate goal after harvesting credentials).
***
# Tool/Technique: Mobile-First SMS Phishing (Smishing)
## Overview
Attackers are using text messages (SMS) to launch mobile-first attacks, impersonating the IRS or tax services. The goal is to coerce recipients into clicking malicious links or downloading counterfeit tax-related applications to steal credentials and financial data.
## Technical Details
- Type: Technique/Delivery Method
- Platform: Mobile Devices (SMS)
- Capabilities: Delivering malicious links or fake application installation prompts directly to mobile endpoints.
- First Seen: Noted as an increase in activity during the current tax season.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.004 - Phishing via Link to Malicious Site
- T1566.005 - Spearphishing via Service (SMS/Text)
## Functionality
### Core Capabilities
- Sending deceptive texts posing as official notifications from the IRS or tax preparers.
- Direct promotion of clicking malicious links or downloading fraudulent apps.
### Advanced Features
- Mobile Optimization: Designing the attack chain specifically for mobile platforms where filtering may be less stringent than email gateways.
## Indicators of Compromise
- File Hashes: Hashes associated with any downloaded fake applications.
- File Names: Fake application installation files.
- Registry Keys: N/A
- Network Indicators: Malicious URLs delivered via SMS (defanged); domains hosting fake tax apps.
- Behavioral Indicators: Unexpected SMS messages containing links demanding immediate login or download.
## Associated Threat Actors
- Attackers prioritizing high-volume, lower-friction attacks targeting individual taxpayers.
## Detection Methods
- Signature-based detection: Blacklisting known malicious URLs/domains found in SMS messages.
- Behavioral detection: Monitoring for new mobile app installs originating from unexpected or unverified sources following SMS interaction.
- YARA rules: Not applicable.
## Mitigation Strategies
- Do not click links or download applications from unsolicited tax-related text messages.
- Configure mobile devices to restrict installation of applications from outside official app stores.
- Report suspicious text messages to relevant authorities or carriers.
## Related Tools/Techniques
- Malicious Application Installation.