Tax-Season Scammers Spoof Fintechs, Including Stash, Public

2022-03-24 13:00

Threat actors have new targets in their sites this tax season during the annual barrage of cyber-scams as people file their U.S. income-tax documents.

It's common for attackers to target popular tax filing and preparation apps such as Intuit and TurboTax in various cybercriminal campaigns during tax season, a time that's traditionally rife with scams.

This year, attackers have pivoted to take on the personas of fintech apps like Stash and Public "To steal credentials and give users a false sense of security that they've compiled the right tax documents," according to a report published Thursday by Avanan, a Check Point company.

In scams observed by Avanan researchers beginning in February, attackers spoof the logo and look and feel of communication that Stash and Public might send to end users to inform them that their tax document is ready, Jeremy Fuchs, Avanan cybersecurity researcher and analyst, wrote in the report.

The email includes a link to a document - purportedly associated with the person's Stash or Public account - and invites users to use the link to log in to their accounts to access it.

Threat actors began an early foray into targeting fintech users during tax season by targeting online investment service Robinhood last April in a similar way to this year's campaigns spoofing Stash and Public.

News URL

https://threatpost.com/tax-season-scammers-spoof-fintechs-stash-public/179071/

#fintech #scammer