Sign in
  • Home
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Support
Request phishing analysis
  • Products
    • Enforce
    • DMARC Monitor
    • Instant SPF
    • Amplify
  • Solutions
    • Anti-phishing
    • Brand protection
    • Compliance
    • Government
    • Marketing
    • Microsoft
    • Shadow IT
  • About
    • News + awards
    • Partners
    • Team
    • Careers
    • Industry leadership
    • Customer support
  • Learn
    • Resources
    • Blog
    • Customers
  • Get started for free
  • Support
  • Sign in
Check to see if you’re protected
☰
Check to see if you’re protected
Related posts
  • Press release
    Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
  • Press release
    Valimail: 2020 election infrastructure still vulnerable to email hackers
  • Press release
    Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Valimail press release

Valimail Research Finds Public and Private Sectors Susceptible to Tax-Related Phishing Attacks

78% of analyzed organizations are not protected with DMARC at enforcement, leaving them vulnerable to impersonation-based tax scams

SAN FRANCISCO, March 30, 2020 —Valimail, the leading provider of identity-based anti-phishing solutions, today released findings from its 2020 Tax Scam Report. For the report, Valimail analyzed the public DNS records for 200 domains likely to be impersonated for tax fraud, including the 2019 Fortune 100 (some of the largest U.S. employers), U.S. states’ departments of revenue, federal tax agencies and well-known tax preparation services. Valimail found the majority of these organizations lack adequate protection against email-based scams including phishing, BEC and W-2/personal information scams.

Valimail’s analysis focused on the presence and validity of Domain-based Message Authentication, Reporting and Conformance (DMARC) and Sender Policy Framework (SPF) records. Across all domains analyzed, 78% of the organizations either lack DMARC records or their DMARC policy is not enforced. However, 91% of the domains have SPF records, which indicates a willingness to implement email authentication — although SPF does not protect domains from phishers spoofing the “From:” field. Without DMARC at enforcement, attackers are  able to spoof these organizations’ domains and initiate convincing tax-related phishing attacks.

“Threat actors have historically used major events to enhance their phishing attacks, and tax season is no exception,” said Alexander García-Tobar, CEO and co-founder, Valimail. “However, we are in a unique position today: Not only is it tax season, but the COVID-19 pandemic has forced U.S. legislators to take aggressive actions to limit social interactions, and as a result many recently out-of-work individuals are facing lost wages. These individuals may be counting on a quick tax return, or they may be confused about the recently changed tax filing deadline. This makes people all the more susceptible to convincing tax scams, and cybercriminals are always willing to take advantage of uncertainty. Unfortunately, organizations that do not have DMARC records at enforcement are an easy target for criminals who use spoofing to launch highly convincing tax-related scams aimed at consumers or these companies’ own employees.”

Additional key findings from Valimail’s Tax Scam Report include:

  • State tax agencies are the most vulnerable to domain spoofing: 49 of the 55 agencies analyzed are either missing DMARC records or do not have DMARC policies at enforcement.
  • 5 of the 6 federal agencies analyzed are protected with DMARC at enforcement, underscoring the effectiveness of practices outlined in the 2018 Homeland Security Binding Operational Directive 18-01.
  • Of the 16 tax preparation services analyzed, just 7 (44%) were protected with DMARC at enforcement.
  • 77 of the 2019 Fortune 100 are not protected with DMARC at enforcement.

The low overall rate of DMARC enforcement indicates that there is much work to be done to eliminate tax-related fraud and identity theft caused by domain spoofing and phishing. To download the full report, please visit: https://www.valimail.com/resources/tax-season-vulnerabilities/

About Valimail

Valimail is the global leader in zero-trust email security. The company’s full line of cloud-native solutions authenticate sender identity to stop phishing, protect brands, and ensure compliance; they are used by organizations ranging from neighborhood shops to some of the world’s largest organizations, including Uber, Splunk, Yelp, Fannie Mae, Mercedes Benz USA, and the U.S. Federal Aviation Administration. Valimail is the fastest growing DMARC solution, with the most domains at DMARC enforcement, and is the premier DMARC partner for Microsoft 365 environments. For more information visit www.valimail.com.

Resources
Top retailers remain vulnerable to email brand spoofing
Learn more
Email security with Microsoft and Valimail
Learn more
Election email security
Learn more
Email fraud landscape, Summer 2020
Learn more
Preparing for BIMI: A Marketer’s Guide
Learn more
Latest news
Trump’s refusal to concede the election is creating an opening for cy...
Learn more
2020 General Election Results to Directly Impact Tech Industry
Learn more
Why Email Is Still an Election Day Disinformation Risk
Learn more
US elections are still vulnerable to email spoofing
Learn more
Security Gaps Persist, Report Warns, After U.S. Blames Iran In Election Sch...
Learn more
Press releases
Valimail Triples Customer Base, Becomes Top Global DMARC Provider in 2020
Learn more
Valimail: 2020 election infrastructure still vulnerable to email hackers
Learn more
Valimail Announces Selection by ASG for Anti-Phishing and BEC Protection
Learn more
Valimail DMARC Monitor and Valimail Enforce Now Available in the Microsoft ...
Learn more
Valimail Research Finds More Than 1 Million Domains Using Crucial Email Aut...
Learn more
Follow us
Contact us

P: 888.354.6179
E: info@valimail.com

Headquarters

180 Montgomery Street
20th Floor
San Francisco, CA 94104

Valimail Mountain Office

1550 Larimer Street
Suite 271
Denver, CO 80202

Request a full phishing analysis
© Valimail
  • Terms of use
  • Privacy Policy
  • Do not sell my personal information
  • Website terms of use
  • Phishing Analysis
  • Domain Checker
  • Products
  • Enforce
  • DMARC Monitor
  • Instant SPF
  • Amplify
  • Solutions
  • Anti-phishing
  • Brand protection
  • Compliance
  • Government
  • Marketing
  • Microsoft
  • Shadow IT
  • About
  • News + awards
  • Partners
  • Team
  • Careers
  • Industry leadership
  • Customer support
  • Learn
  • Resources
  • Blog
  • Customers