Tax-Season Scammers Spoof Fintechs, Including Stash, Public


Threat actors have new targets in their sites this tax season during the annual barrage of cyber-scams as people file their U.S. income-tax documents. Novel email campaigns are spoofing popular financial technology (fintech) applications and their tax notifications to try to dupe victims into giving up their credentials, researchers have found. It’s common for attackers to target popular tax filing and preparation apps such as [Intuit](<https://threatpost.com/attackers-intuit-cancel-tax-accounts/178219/>) and TurboTax in various cybercriminal campaigns during tax season, a time that’s traditionally rife with scams. In 2020, for example, threat actors [targeted small tax-preparation](<https://threatpost.com/latest-tax-scam-target-apps-and-tax-prep-websites/152998/>) firms by planting malicious code on their websites to spread malware to site users. This year, attackers have pivoted to take on the personas of fintech apps like [Stash](<https://www.stash.com/>) and [Public](<https://public.com/>) “to steal credentials and give users a false sense of security that they’ve compiled the right tax documents,” according to[ a report](<https://www.avanan.com/blog/hackers-begin-spoofing-fintech-apps-as-tax-season-approaches>) published Thursday by Avanan, a Check Point company. In scams observed by Avanan researchers beginning in February, attackers spoof the logo and look and feel of communication that Stash and Public might send to end users to inform them that their tax document is ready, Jeremy Fuchs, Avanan cybersecurity researcher and analyst, wrote in the report. The email includes a link to a document – purportedly associated with the person’s Stash or Public account – and invites users to use the link to log in to their accounts to access it. When the user clicks on the link, however, they are directed not to a legitimate log-in site, but to one that harvests their credentials, Fuchs said. ## **Rise in Fintech Threats** Fintech is a growing attack surface for threat actors due to the sheer increase in its user base in the last couple of years, primarily attributed by researchers to the pandemic-related increase in people’s overall time online. According to [a study](<https://plaid.com/blog/report-the-fintech-effect-2021/>) by fintech startup Plaid, 88 percent of people in the United States were using some form of fintech by late 2021 – a rise of 52 percent from the 58 percent of people who reported using fintech in 2020. Surprisingly, that’s more than the number of people in the United States who use streaming services or social media, making fintech an attractive target for threat actors, Fuchs wrote. “That gives hackers a wide range of people to steal credentials from,” he said. Threat actors began an early foray into targeting fintech users during tax season by targeting online investment service Robinhood [last April](<https://threatpost.com/robinhood-warns-customers-of-tax-season-phishing-scams/165180/>) in a similar way to this year’s campaigns spoofing Stash and Public. At the time, researchers discovered an attack vector that used phishing emails with links to fake Robinhood websites prompting visitors to enter their login credentials. ## **Catching Users Off Guard** Fintech companies are also an attractive target because these types of scams can catch users by surprise, Fuchs noted. “They may not be expecting tax documents from these apps, inducing them to click,” he wrote in the report. “Since most of these services are mobile-first, users may receive this on their phone and may forget about typical cyber hygiene.” On the contrary, people should be at their most diligent when receiving any emails regarding tax forms or services, given that clicking on the wrong link, especially while connected to a corporate network, can have dire consequences, Fuchs said. To keep networks safe during tax season, Avanan is advising security professionals to encourage end-users to check URLs before clicking on tax-related emails, as well as to ask users to log in directly to the financial institution when receiving tax-notification emails while at work. They also suggest security admins urge end-users to reach out to the company’s IT department if they are unsure if an email is legitimate or not. **_Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our _**[**_FREE downloadable eBook_**](<https://bit.ly/3Jy6Bfs>)**_, “Cloud Security: The Forecast for 2022.”_** **_We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists._**