With tax season around the corner, it’s a rite of passage to expect tax-related spoofs. That can come in the form of spoofing the IRS or popular tax apps like TurboTax or Intuit.
One way that hackers are mixing it up is by targeting popular fintech apps and spoofing their tax notifications.
Starting in February 2022, Avanan researchers have found that hackers are spoofing trending fintech apps such as Stash and Public to steal credentials and give users a false sense of security that they’ve compiled the right tax documents. In this attack brief, Avanan will analyze how threat actors are taking advantage of popular fintech apps to steal credentials and personal information around tax season.
Attack
In this attack, hackers are spoofing popular fintech apps Stash and Public. Stash is a personal finance app that allows users to do both traditional banking and investments. Over six million people use the service.
Public is similar to Stash, except it focuses solely on investing. In the app, you can invest in traditional stocks as well as crypto. It also has a social network feature that allows users to see who others invest in.
Both emails in this attack briefing are similar, spoofing the above companies by saying that a new tax document is ready.
When the user clicks on the link, they are directed to a credential harvesting site.
- Vector: Email
- Type: Credential Harvesting
- Techniques: Impersonation
- Target: Any end-user
In this attack, threat actors are spoofing fintech apps to steal credentials around tax season.
Email Example #1
The user receives what looks like a typical notification that a tax document is ready. This is spoofing the app Stash.
Email Example #2
This email, spoofing Public, is similar to the one above.
Techniques
In this attack, hackers are spoofing popular fintech apps to steal credentials.
It’s a clever strategy, as fintech apps represent a huge amount of users to scam. According to one study, 88% of Americans use some form of fintech, up from 58% in 2020. Think about this: More Americans use Fintech than streaming services (78%) and social media (72%).
The apps and services are incredibly popular with millennials, with 95% of that cohort reporting use. Interestingly, Baby Boomers are the fastest-growing segment of fintech users, doubling year over year to 79% of that group using these services.
That gives hackers a wide range of people to steal credentials from.
Further, these sorts of scams may catch users off guard. They may not be expecting tax documents from these apps, inducing them to click. Since most of these services are mobile-first, users may receive this on their phone and may forget about typical cyber hygiene.
This represents a novel and innovative social engineering campaign that could pay dividends for hackers.
Best Practices: Guidance and Recommendations
To guard against these attacks, security professionals can do the following:
- Try to avoid doing personal taxes on company assets and never with corporate email addresses
- Encourage end-users to check URLs before clicking on tax-related emails
- Ask users to log in directly to the financial institution when receiving tax notification emails
- Encourage end-users to reach out to IT if unsure if an email is legitimate or not
