New tax phishing attack: CP-2100 Notice Campaign

Post hero image

Table of contents

See Hoxhunt in action
Drastically improve your security awareness & phishing training metrics while automating the training lifecycle.
Get a Demo

This Off the Hook threat alert on the new IRS CP 2100 notice campaign follows up on our previous Tax Phishing Off the Hook so be sure to check that one out.

Doing taxes can be more or less overwhelming and confusing depending on the year. But taxes are always stressful, and stressful situations are a gold mine for phishing attackers. They understand that it’s common for well-intentioned tax payers to send forms with missing information or mistakes, which will trigger notifications for changes from tax authorities. Even the legitimate messages can be hard to understand and scary given all the bureaucratic wording.

As a result, many people will just click the link and enter information as directed with little thought. This can be extremely harmful if the information falls into the hands of cybercriminals.


What we are seeing in the IRS tax CP 2100 notice campaign

We are monitoring multiple new tax-related phishing attacks. This CP-2100 notice campaign phishing attack claims the user has entered an incorrect name and Taxpayer Identification Number (TIN) in their latest transfer. The real CP 2100 notice does indeed let tax payers "know they may be responsible for backup withholding when TINs are missing from IRS records or have incorrect name/TIN combinations" according to the IRS website.

The attack email's text is sparse and not terribly well written, but the email contains a more convincing word doc attachment promising more information once the user “enables content” to see “enclosed content.”

This indicates the presence of macros, a classic attack vector through which malicious content is downloaded to the user's device. Macros are such a common malware vector that programs used to view these documents often automatically warn users about the dangers of enabling macros. Therefore, attackers come up with something to trick the user into enabling the macros.

Off the hook tax phishing attack cp-2100 notice campaign

CP-2100 phishing attack email message

The attacked document itself, pictured below, looks real enough to evoke stress as a quasi-official notice promising bad things will happen unless action is taken. It is not hard for attackers to spoof official notifications, as real examples are widely available. But such reproductions take more effort than a traditional simple, generic attack. Because phishing attacks are usually extremely cheap to execute and blasted out in huge numbers, a campaign’s success rate needn’t be too high to be worth the criminal’s time. So even these slightly more sophisticated attacks are not as common as one might think. Because they are less common, they might have an outsized success rate, as people are unprepared for them.

Off the hook tax phishing attack cp-2100 notice campaign

cp-2100 notice campaign phishing attachment

This message contains two classic social engineering tactics: manipulating user curiosity, and creating a false sense of urgency and stress. The user’s curiosity is raised with the message’s vagueness. Because the message reveals little information beyond potential costs to the user, it is much more likely the user will open the attachment to learn more. After opening, the attachment contains a request to enable macros, or “content” as it’s called in this case. This is the user’s last chance to back out.

But the attached document itself might push the user’s curiosity beyond the point of no return. Thoroughly manipulated, they would then enable the macros and thereby open the gates to a malicious content download. Curiosity killed the cat, and that saying is particularly true for phishing. While in a tax phishing attack no cats are harmed, the same can’t be said for the privacy of your, and possibly your whole organization’s, data.

Another social engineering trick in this attack is the creation of a false feeling of urgency. In this case the deadline for acting on this message is “30 calendar days,” which might feel urgent to some, especially those who struggle to understand it and require time to respond appropriately.

The feeling of urgency is a commonly used tactic in phishing because it effectively plays on human psychology. Urgency can be fabricated with fake deadlines and the threat of consequences for not doing as told. The message might threaten the user with forfeiting money, or losing data or privileges to services, etc. Threats of loss can be an effective way to stress people into forgetting their security training acting hastily.

This particular attack is seen in North America, but Tax-phishing attacks are seen all over the world. The stress and confusion surrounding taxes signify a universal experience..

Staying off the hook

Malicious message are sometimes hard to spot by only reading the message. Especially if the message is about something unexpected. But even if you are expecting a message, you should still exercise caution as it might just be a lucky break from an attacker and the timing hits just right. They try to mimic the most commonly received messages from the most commonly used services in their phishing attack campaigns.

When receiving suspicious or unexpected messages it is a good practice to:

  • Contact the sender directly. For example, with this tax related message, contact the tax officials directly for verification. The user gains certainty that the message is real, and the authorities will know about attacks making the rounds with their name on it, so they can act accordingly.
  • Verify the message with the sender’s website or web service. But be careful! It is not recommended to click any links in emails; always navigate to the official service via browser yourself and look for information about related to what’s claimed in the email message. This is one of the best ways to avoid malicious links and content passed around by attackers.
  • Always be cautious with attachments: especially documents containing macros. Ideally we could avoid opening unexpected and unverified email attachments altogether, but of course this is not always possible.
  • Consider deadlines provided in messages as deadlines for contacting the alleged sender directly through the official channels and asking more information about the message and its content. Do not reply to the message directly to ask for more information / if it is safe.

Modern technology has made filing taxes so much easier. Unfortunately it also has made tax phishing attacks much easier, too. Remember to exercise caution when you get a tax notice, and remember your security training. Don’t let threats and deadlines swallow your logical thinking. They won’t actually bite. Stay safe and Off the Hook.

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Explore more phishing trends

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this