6 days Ago By Davey Winder, Senior Contributor
24-hour warning issued for Microsoft Account holders. If there’s one thing that cybercriminals love, it’s a deadline. Anything that injects a sense of urgency into an attack massively increases the chances of that threat turning into a successful exploit.
It’s why you see so many attacks start with a message or notification warning you that your account has been compromised , and you must act now, or a request from a relative in urgent need of cash. Sometimes, however, the immediacy trigger is based around a very real deadline. Such is the case of the latest warning for Windows users as threat actors look to exploit the April 15 U.
S. deadline for filing taxes in order to hack your Microsoft account password. Can you stay safe for 24 hours and beyond? Here’s what you need to know.
Benjamin Franklin is quoted as saying that “in this world, nothing is certain except death and taxes,” to which, were he alive today, I’m pretty sure he would added phishing attacks. With the April 15 deadline for filing taxes in the U.S.
now less than 24 hours away, those who would socially engineer their way into your valuable online accounts have gone into overdrive with a big push to make the most of the certainty that people are hurrying to comply. Hurrying suggests stress, and stress can make people do things and click on things they otherwise might not. Peter Arntz, a malware intelligence researcher at Malwarebytes, has confirmed that attackers are looking to exploit this tax deadline stress in Windows users with Microsoft account credentials as the ultimate target.
The attacks start with an email containing an attachment that is titled “urgent reminder” and claims to be a tax review and update reminder. The “mandatory review” of tax records has to be initiated by scanning the malicious QR code contained within the PDF file. Doing so, of course, would be a very costly mistake.
“When we disabled our protection to see where the QR code led,” Arntz said, “we first had to pass the bot protection.” And, dear reader, the next step after this fake CAPTCHA was to enter Microsoft account credentials, the email address of which was already filled out. “Entering your password will send your credentials to a Russian receiver,” Arntz warned, “who will decide what the most profitable way to use them is.
” Don’t be lulled into a literal false sense of security if you are not a Windows user or have an extension to file your taxes on a different date. This threat, while at its most potent with just 24 hours left on the filing deadline clock, will continue to pose a danger to all users for some months to come. The use of AI to create and drive phishing attacks means that the notifications and warnings we see are more sophisticated and believable than ever.
With smartphone farms being used to deliver text message threats at scale, and infostealer malware often deployed, it’s nothing short of a security nightmare. But that doesn’t mean you can’t fight back. Malwarebytes advised that you should be alert to messages promising unexpected tax refunds as well as those urgent notifications with a “click here” to complete your tax return.
Then there’s the fact that, as Arntz said, the IRS rarely contacts people by email. “When it does,” Arntz advised, “it is only to send general information and in an ongoing case with an assigned IRS employee.” The IRS itself has a dedicated site to help you recognize tax scams and fraud , whether you are a Windows user or not.
I’d suggest you read it, preferably within the next 24 hours. I have approached Microsoft for a statement..
