Quote:A W2 tax email scam is circulating in the U.S. using Typeform, a popular software that specializes in online surveys and form building. The campaign is aimed at harvesting victims’ email account credentials, researchers said.
According to Armorblox, the campaign also bypasses native Google Workspace email security filters in the victims it examined.
“The email impersonated an automated file-sharing communication from OneDrive, informing victims that they had received a file,” researchers explained in an analysis on Tuesday. “The email was sent from a Hotmail ID and was titled ‘RE: Home Loan,’ followed by a reference number and the date, making it seem like the email was part of an ongoing conversation to lend it more legitimacy.”
The links included in the emails purport to lead to a document called “2020_TaxReturn&W2.pdf,” researchers found. Instead, the links take users to a Typeform page where victims are asked to enter their email account credentials before being granted access to the file.
However, entering email account information into the form only returns error messages. After several attempts, the campaign surfaces a message saying that “the document is secured” and that the user’s identity could not be verified.
“It’s likely that the error messages could be a smokescreen for the attackers to gather as many account ID and password combinations as unsuspecting victims are willing to enter in an attempt to brute-force their way to gain access to the W2,” according to Armorblox. “In reality, there is no W2 pot of gold at the end of this malicious rainbow.”
Read more: Tax Phish Swims Past Google Workspace Email Security | Threatpost
![[-]](https://www.geeks.fyi/images/collapse.png)
