ADP Users Targeted in Tax Themed Phishing Attack

January 10, 2020 | by Troy Gill | Tax Scam, phishing

Tax season is right around the corner and it may be hard for some people to believe but many individuals are actually eager to receive their tax documents and files their taxes. That’s because the vast majority of American workers, roughly 73%, will receive a tax refund this year. Cyber criminals are well aware of this fact and are naturally looking to take advantage.

As they always do this time of year, tax related email attacks are ramping up. This always includes everything from run-of-the-mill spam to very dangerous phishing and malware attacks. This week we began monitoring an ongoing tax themed email phishing campaign that is aimed at ADP users. If you’re not familiar with ADP they are a large global provider of human capital management solutions that provides services to millions of workers around the world. The phishing emails purport to users that their W2 is now ready.

Here’s a look at one of the messages:

 

The clickable links in the message lead to domains that were registered the same day as the attack. Navigating to the URL will lead to a well-designed phishing page that poses as a legitimate ADP login page. From here the attackers will gather the victims ADP credentials.

 

Once the malicious actors have gathered user credentials, they will then attempt to access the portal and commit any number of fraudulent activities. For example, the attacker might take the tactic of changing the employees direct deposit information and redirecting funds to their nefarious accounts. In cases where the Employer does not have a second verification in place for this type of change this could be quite lucrative for the attackers. It is also possible to expose the employees bank account and routing numbers in the portal. In addition, the attackers could also access personal information about the employee which includes name, D.O.B., physical address, pay stubs, Social Security number, etc. This information is also valuable and could be used or resold for identity fraud purposes. Additionally, the employees legitimate tax documents can also be found here. This could be used by the attackers to file fraudulent tax returns on the employee’s behalf to direct their tax returns to the attacker’s coffers.

Everyone will want to steer clear of these messages given the pandora’s box of malicious activity that could result from a breach of this sort. Remember this tax season to handle all your documentation with an abundance of caution. The IRS will never require you to take action via an email. When you receive notifications that tax documents are now available from ANY provider, always navigate directly to the source yourself verses following the link in and email. When available, always enable MFA on accounts containing any personal data. As always, our customers inboxes are safe from all known variants of this threat.