Tax season vulnerabilities

Attackers run countless tax-related scams based on phishing, year after year. While the types of attacks continue to evolve, many of them use the same underlying strategy that is found in other industries: impersonate a legitimate government or corporate entity, and trick the target into releasing money or lucrative sensitive information.
For this study, Valimail analyzed 200 domains likely to be impersonated via phishing emails for the purposes of tax fraud. These domains ranged from the 2019 Fortune 100 companies (some of the largest employers in the U.S.), departments of revenue for every U.S. state, federal tax agencies, and well-known tax preparation services.
Key findings:
- State tax agencies are the most vulnerable: 49 of the 55 agencies analyzed are vulnerable to spoofing due to missing or invalid DMARC records, or DMARC policies that are not at enforcement
- 5 of the 6 federal agencies are protected with DMARC at enforcement
- Of 16 tax preparation services companies that Valimail analyzed, only 7 (44%) were protected with DMARC at enforcement