Tax scammers impersonating ADP, Paychex with aim to steal financial information

Those messages are laced with TrickBot, a malicious software strain that typically infects victims through a malicious Microsoft Excel attachment.
Tax Scam 2019
Emails made to look like legitimate Paychex notes were discovered in March. (<a href="">Ian T. McFarland</a>/Flickr)

Hackers are trying to steal Americans’ tax information ahead of the April 15 deadline by sending emails that appear to be from trustworthy sources at Paychex, ADP and elsewhere, according to IBM research published Monday.

Those messages actually are laced with TrickBot, a malicious software strain that typically infects victims through a malicious Microsoft Excel attachment. TrickBot steals valuable data including banking credentials, allowing thieves to wire themselves money from the victim without immediate detection. It’s delivered in the form of spam emails from Paychex and ADP, exploiting users’ familiarity with those financial companies at the height of tax season.

The emails, tracked in early March, landed in inboxes between 11:45 a.m. and 3:45 p.m. Eastern Standard Time, during U.S. working hours. They also were written in English, and used a technique known as typo-squatting, in which a hacker creates a fake website meant to look a legitimate one in order to fool users.

“The size of the spoofed firms suggests the criminals are likely to have some success in snagging individual users and some businesses that are customers of these well-known companies,” researchers said. “Recipients are more likely to expect an email about taxes from their service provider, so attackers can be much more successful if they spoof the names and email addresses of trusted HR services and accounting companies to deliver malware right around tax season.”


ADP has issued two security alerts this year reporting to customers that scammers were using phishing emails to try to steal their information.

This research comes amid the Internal Revenue Service’s years-long effort to stop tax scammers who file documents in a victim’s name with an eye on stealing their return. A Treasury Department inspector general’s report issued in February last year found that, with months to go until the filing deadline, the IRS identified 9,557 tax returns with approximately $46 million had been claimed. By that same time, the agency had stopped $22.2 million in funds from being returned.

Phishing is just one method thieves rely on to steal information. The IRS also cited phone scams and identity theft as issues for tax preparers to consider, alongside other avoidance techniques like falsifying income to claim credits, offshore tax avoidance and fake charities.

Jeff Stone

Written by Jeff Stone

Jeff Stone is the editor-in-chief of CyberScoop, with a special interest in cybercrime, disinformation and the U.S. justice system. He previously worked as an editor at the Wall Street Journal, and covered technology policy for sites including the Christian Science Monitor and the International Business Times.

Latest Podcasts