Tax-Season Scammers Spoof Fintechs, Including Stash, Public

Threat actors are impersonating such wildly popular personal-finance apps (which are used more than social media or streaming services) to try to fool people into giving up their credentials.

Threat actors have new targets in their sites this tax season during the annual barrage of cyber-scams as people file their U.S. income-tax documents. Novel email campaigns are spoofing popular financial technology (fintech) applications and their tax notifications to try to dupe victims into giving up their credentials, researchers have found.

It’s common for attackers to target popular tax filing and preparation apps such as Intuit and TurboTax in various cybercriminal campaigns during tax season, a time that’s traditionally rife with scams. In 2020, for example, threat actors targeted small tax-preparation firms by planting malicious code on their websites to spread malware to site users.

This year, attackers have pivoted to take on the personas of fintech apps like Stash and Public “to steal credentials and give users a false sense of security that they’ve compiled the right tax documents,” according to a report published Thursday by Avanan, a Check Point company.

Infosec Insiders Newsletter
Stash is a personal finance app with more than 6 million users that allows users to both do traditional banking and to invest. Public has similar capabilities but focuses solely on investing in both traditional stocks and crypto. It also has a social networking aspect so people can see where other users are investing.

In scams observed by Avanan researchers beginning in February, attackers spoof the logo and look and feel of communication that Stash and Public might send to end users to inform them that their tax document is ready, Jeremy Fuchs, Avanan cybersecurity researcher and analyst, wrote in the report.

The email includes a link to a document – purportedly associated with the person’s Stash or Public account – and invites users to use the link to log in to their accounts to access it. When the user clicks on the link, however, they are directed not to a legitimate log-in site, but to one that harvests their credentials, Fuchs said.

Rise in Fintech Threats

Fintech is a growing attack surface for threat actors due to the sheer increase in its user base in the last couple of years, primarily attributed by researchers to the pandemic-related increase in people’s overall time online.

According to a study by fintech startup Plaid, 88 percent of people in the United States were using some form of fintech by late 2021 – a rise of 52 percent from the 58 percent of people who reported using fintech in 2020.

Surprisingly, that’s more than the number of people in the United States who use streaming services or social media, making fintech an attractive target for threat actors, Fuchs wrote. “That gives hackers a wide range of people to steal credentials from,” he said.

Threat actors began an early foray into targeting fintech users during tax season by targeting online investment service Robinhood last April in a similar way to this year’s campaigns spoofing Stash and Public. At the time, researchers discovered an attack vector that used phishing emails with links to fake Robinhood websites prompting visitors to enter their login credentials.

Catching Users Off Guard

Fintech companies are also an attractive target because these types of scams can catch users by surprise, Fuchs noted.

“They may not be expecting tax documents from these apps, inducing them to click,” he wrote in the report. “Since most of these services are mobile-first, users may receive this on their phone and may forget about typical cyber hygiene.”

On the contrary, people should be at their most diligent when receiving any emails regarding tax forms or services, given that clicking on the wrong link, especially while connected to a corporate network, can have dire consequences, Fuchs said.

To keep networks safe during tax season, Avanan is advising security professionals

to encourage end-users to check URLs before clicking on tax-related emails, as well as to ask users to log in directly to the financial institution when receiving tax-notification emails while at work. They also suggest security admins urge end-users to reach out to the company’s IT department if they are unsure if an email is legitimate or not.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

Suggested articles