Popular tax return software company used in tax season scam

Screenshot of the email that users may receive that is actually a Turbo Tax scam. (Trustwave)

An email campaign that purports to be a popular tax return software provider is the latest scam to make the rounds. The corrupted email is quickly spreading, in an effort to catch people who use the tax program.

The malicious email shows up with the title “TurboTax Case.” The email has an attachment that indicates errors in your tax return. It claims that if you don’t fix the errors, TurboTax will be forced to reject your tax return refund request. The attached file is a Microsoft Excel document.

When the user opens the corrupted Excel sheet, a security warning pops up, followed by a plain text message that instructs the user to enable macros. Macros is an old function in Excel, which the program uses to automate tasks. Hackers often use plain text instructions as a tactic to trick users into taking action that lead to data theft or the compromise of devices.

Screenshot of the Excel file that can run malicious programs on your computer via the Turbo Tax scam. (Trustwave)

In order to enable macros, the user must click on the Options button to open the document to see the supposed tax return errors, which is a trap. Enabling macros allows the malicious script to run on the victim’s computer. Once the script is executed, cybercriminals can insert malicious payloads like malware or ransomware, which they can use to steal sensitive data or lock the infected device until a ransom is paid off. 

Karl Sigler, Senior Security Researcher Manager at Trustwave SpiderLabs, says from a technical standpoint, what’s surprising is that legacy Excel 4 macros still work and are supported in the Excel 2017 XML format — giving cybercriminals a pathway to compromise the computers of their victims.

“Indeed, we’ve seen at least one case of criminals combining this legacy macro support with tax season phishing scams to guarantee a higher rate of victims,” he says. 

The best way to avoid falling victim to this scam is to use caution with email addresses you don’t recognize. Don’t open attachments on unsolicited emails — and if you do, do not enable macros in any document.

“Phishing emails are becoming better disguised and more convincing, which can trick even people that think they’re being careful into giving cybercriminals access to their machines,” says Sigler. “Social engineering works and is an extremely lucrative business bolstered by timely events and what’s popular in the news.”

He says to expect to see more phishing scams not only tied to this year’s tax season, but also the upcoming U.S. elections and those that capitalize on global coronavirus fears.