Dark background with blue code overlay

Tax Season: Criminals Play the Numbers Game Too

Steve Ragan

Written by

Steve Ragan

April 06, 2021


Criminals love tax season. The stress and urgency surrounding this time of year makes the victim pool highly vulnerable to various types of schemes. In addition to phishing, tax season is also the time of year when criminals focus their efforts towards other types of attacks including Local File Inclusion (LFI), SQL Injection (SQLi), and credential stuffing.

In case you missed the news, the IRS moved tax day to May 17, 2021, so expect a second wave from criminals targeting the new date.

Quick Note:

Today's post leverages data representing a moment in time, which consists of attacks observed between March 18 and April 29, in each of 2018, 2019, and 2020. In addition, we also examined data for June 17 through July 29, 2020.

We picked these days in order to examine attack traffic before, during, and after normal tax filing times. Due to data volume and complexity, credential stuffing data will focus on 2020's data just to keep things simple. In reviewing the data, we are focused on the U.S. public sector specificly, which includes government organizations and supporting private organizations.

Web attacks

Almost everyone talks about phishing when it comes to tax season. We'll talk about that too later in this post, but there are other types of attacks being leveraged. In 2018, Akamai observed 4.4 million web application attacks, and 18 million in 2019. In fact, in 2019, Akamai recorded 10 million LFI attacks shortly after the US tax filing deadline.

In 2020, there were a total of 20.2 million web application attacks, and 10.9 million of those occurred between June 17 and July 29. Due to COVID, the IRS extended the tax filing deadline, and criminals took advantage of this to conduct additional attacks.


LFI attacks are looking to exploit various scripts running server-side, usually PHP. However, LFI can also target ASP, JAP, and other web-based technologies. Successful attacks often result in the disclosure of sensitive information, which can be leveraged for additional attacks. At the same time, LFI can also sometimes result in client-side command execution (due to vulnerable JavaScript), which could lead to Cross-Site Scripting or Denial-of-Service.

SQLi, on the other hand, is a direct attack against the website or service, seeking to expose the information housed by the organization or gain access to the database itself directly. There is another, more sinister aspect to SQLi that criminals will use as well -  command execution.

In December 2020, Accellion was made aware of a zero-day SQLi vulnerability in Accellion File Transfer Appliance (FTA). FTA is a file transfer application used by government organizations, as well as private industry organizations in the medical, legal, telecommunications, and finance sector.

The zero-day vulnerability was exploited by threat actors and used to compromise organizations across the globe. The attackers leveraged SQLi as the primary means of infection in order to initiate the deployment of root shells, which were then later used to exfiltrate data. Some of the victims were extorted in order to prevent the stolen data from being released to the public.

Details of this attack chain, and the four related CVEs are available on the Cybersecurity and Infrastructure Security Agency (CISA) website.

Credential abuse

Credential abuse, or credential stuffing as it is sometimes known, is a criminal's favorite type of automated attack. It's a numbers game, and during tax season - when everything is about the numbers - criminals are banking hard on the fact that people will choose weak, or recycled, passwords when filing their taxes online.

There were a total of 295 million credential stuffing attacks recorded in the public sector in 2020, and 56% of them (166,603,107) occurred between June 17 and July 29.


Credential stuffing works. That is the short answer to why criminals conduct these kinds of attacks. Counting on the fact that people use weak passwords, or recycled passwords, criminals compile lists of login combinations and test them against multiple services. Because of the recycled password issue, a successful compromise at one account or service could then lead to successful compromises of other accounts or services.

The volume of credential stuffing attacks was so noticeable towards the end of 2020 that the SEC's Office of Compliance Inspections and Examinations (OCIE) issued a risk alert warning SEC-registered investment advisers, brokers and dealers, registrants, and firms about the uptick in attacks.

"OCIE staff has observed an increase in the frequency of credential stuffing attacks, some of which have resulted in the loss of customer assets and unauthorized access to customer information," the warning said.

The risk of credential stuffing around tax time isn't just a recent event either. In 2015, TaxSlayer, LLC disclosed that criminals leveraged credential stuffing to compromise nearly 9,000 accounts between October and December of that year. The breach caught the attention of the Federal Trade Commission (FTC), who alleged in a complaint that TaxSlayer violated the Privacy Rule and the Gramm-Leach-Bliley Act's Safeguards Rule. The FTC reached a settlement to those allegations with TaxSlayer in 2017. 


As mentioned earlier, phishing is another really common tactic used by criminals during tax season. Criminals will spoof popular tax brands, even the Internal Revenue Service (IRS) itself, in order to trick their victims into revealing sensitive information, which is then used for tax fraud and other ID related crimes.

It's important to remember that the IRS will never initiate contact with taxpayers via email, text message, or social media in order to request personal information, such as PINs, passwords, usernames, or information commonly found on a state ID.

Likewise, the IRS will also never reach out via those communication channels in order to obtain financial information, including credit card details, banking details, or other finance related information.

Additional details, including what to do if you suspect you've been the victim of a tax scam, is available on the CISA website.

Steve Ragan

Written by

Steve Ragan

April 06, 2021