While tax season may have already occurred, researchers at Abnormal Security have discovered another scam that’s targeting Google G-Suite users and they believe it may have reached the inboxes of around 50,000 people. With this scam, users are receiving .pdf documents in their email that contain a very believable W-8BEN form, which is used to maintain nonresident tax-exemption status. The email even appears to be from irs.gov, however, it is spoofed and is really coming from “huaweimobilewifi.com” a Chinese registered domain. Aside from the information typically asked for in the form, additional information such as passport numbers and bank account details are requested by the scammers. Once the form is filled out, users are asked to fax them to a number that is known to be associated with other scam campaigns. Surprisingly enough, there is no payload included in the .pdf document and it seems this rather an attempt to get high level executives to provide their personal information.
Analyst Notes
Users should be careful when viewing and filling out documents from unknown senders. Even if the document seems like it is coming from a trusted source, always double-check before giving them any personal information. Many times, scammers will make subtle mistakes in their emails that will give away their ruse. If a user has any reason to believe someone is attempting to scam them will impersonating a government entity, they should report it as soon as possible.
Source: https://abnormalsecurity.com/blog/irs-tax-form-scam/
