Mimecast Logo
M365 Threat Scan Get a Quote
    Cyber Resilience Insights
    All Topics
    Email and Collaboration Threat Protection
    Web Security
    Security Awareness Training
    Data Compliance and Governance
    Threat Intelligence
    Email & Collaboration Threat Protection

    Targeting Accounting Firms with the RAT Tax Scam

    Cybercriminals exploit tax season to prey on accountants through sophisticated email scams

    by Samantha Clarke

    Key Points

    • According to Mimecast threat intelligence, advancedmalware delivery methods exploiting mega.nz, ScreenConnect, and ESPs like Sendgrid are utilized to circumvent traditional security measures during the U.S. tax deadline season. 
    • Accountants are prime targets for cybercriminals during the American tax season; they experience social engineering attacks in combination with remote access trojans, known as the RAT tax scam that rely on their fatigue and overwhelm during this busy time at work.
    • Mimecast’s threat researchers uncovered RAT tax scams, demonstrating how cybercriminals find their way to a victim. In the second half of February 2025, accounting firms were significantly attacked with tax-related social engineering emails. 

    During tax season, accounting firms, which are often hectic and overloaded with work, become prime targets for cyberattacks. One of the more insidious schemes is the RAT (Remote Access Trojan) tax scam, which leverages social engineering and malware to steal critical credentials and sensitive client data. Keep reading to unpack the mechanics of the RAT tax scam, examine the techniques attackers use, and get tips to defend against such threats.

    Tax Season’s Double-Edged Sword 

    For many Americans, tax season signals relief (or dread) depending on whether refunds or dues lie ahead. But for accountants, this annual rush means long hours juggling heavy workloads and tight deadlines. During this time, accounting firms often generate a significant portion of their annual revenue, while simultaneously managing an influx of both regular filings and new clients seeking assistance. 

    Unfortunately, this stress-filled period offers a window of opportunity for cybercriminals, who rely on the distractions typical of tax season to launch attacks. 

    Why Accountants are Prime Targets 

    Accountants are attractive targets because of their access to both financial systems and PII (Personally Identifiable Information). From small CPA firms to multinational accounting corporations, the rewards for cybercriminals are immense. Compounding the risk is that tax season often involves generating new business, making accountants more inclined to trust seemingly legitimate inquiries from potential clients. 

    What is the RAT Tax Scam? 

    At the heart of the scheme lies the use of Remote Access Trojans (RATs). RATs are advanced malware programs that, once downloaded, enable attackers to take over a victim’s device. This allows them to monitor activity in real time, log keystrokes, and capture screenshots. The end goal? Gain access to sensitive accounts or client data. 

    What makes RATs particularly dangerous is their stealthy nature. Once active, they operate in the background, often undetected by the user.

    How the RAT Tax Scam Works 

    Step 1: The Bait Email 

    Threat actors begin by researching accountants and finding their email addresses through public sources or breached databases. Armed with this information, they send an initial inquiry email that appears legitimate, typically posing as a potential client. 

    For instance, a scammer might claim their usual accountant has retired and that they urgently need assistance filing taxes. The email includes no malicious links or attachments, making it appear harmless and bypassing mail security filters. 

    Example from a Current Campaign Mimecast Stopped:

    In the second half of February 2025, Mimecast detected a significant uptick in social engineering targeting accounting firms. 

    Scammers often save their payload for later emails. They propose attaching previous tax documents in follow-up correspondence. At this stage, they're primarily testing how receptive accountants are. 

     

    Step 2: Hooking the Target 

    Accountants, eager to capitalize on a new client during their busiest period, often respond promptly. At this point, they’ve been “hooked”—the attacker now has their trust. 

    Step 3: The Malicious Follow-Up 

    The threat actor sends a second email claiming to include the promised documentation (e.g., previous tax returns or IDs). Embedded within the second email is a malicious file with a deceiving filename like “ClientTaxDocument.pdf.exe.” 

    The file might lead to a shared hosting site, such as mega.nz, to further obscure its intentions. Upon download, the file executes malware like ScreenConnect, a tool that facilitates remote control over the victim’s device. 

    A Deceptive Setup 

    One variation of this attack even includes a fabricated recording of the victim’s supposed "previous accountant." This level of social engineering creates the illusion of legitimacy, luring unsuspecting users into enabling the malware. 

    Step 4: Remote Access and Data Breach 

    Once the RAT is active, the attacker begins harvesting data. This can include login credentials, client PII (e.g., Social Security numbers, financial records), and even the accountant’s system access codes. 

    Attackers might also leverage ScreenConnect to deploy additional malware, such as info stealers or ransomware. The latter could encrypt the firm's systems, crippling operations until a ransom is paid. 

    The Bigger Picture 

    The fallout from a successful RAT tax scam can be catastrophic. Stolen credentials allow hackers to infiltrate organizations, disrupt operations, and compromise client data. For attackers, these credentials can also unlock sensitive bank accounts, client databases, and financial systems. 

    The Role of Modern Phishing Campaigns 

    It’s worth noting that 2024 has brought more sophisticated phishing campaigns delivered through trusted email service providers (ESPs) like Sendgrid. Using legitimate ESPs further masks the malicious intent of these emails. 

    This underscores the need for accountants to double-check the sources of files shared via email and exercise due diligence while onboarding new clients digitally. 

    Defensive Strategies Against RAT Attacks 

    1. Educate your team 

    Cybersecurity training is paramount, especially during high-risk seasons like tax time. Teach employees how to spot phishing attempts and verify client identities via phone or other methods before clicking on suspicious links or downloading files. 

    2. Implement strong email security 

    Deploy solutions that can detect phishing attempts, even when malicious links or attachments are absent. Email authentication protocols, such as DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework), can help reduce domain spoofing. It’s important to utilize solutions which can identify business email compromise emails and stop them before delivery to avoid any potential engagement.

    3. Be wary of file extensions 

    Encourage your team to inspect file extensions before opening attachments. Files ending in “.exe” are executable programs and should raise immediate red flags unless verified through trusted sources. 

    4. Limit remote access tools 

    Many cybercriminals exploit legitimate tools like ScreenConnect to gain access to devices. Restrict these types of programs and only authorize their use through approved IT protocols. 

    5. Conduct regular system audits 

    Closely audit network systems for unusual activity during tax season. Suspicious network traffic or sudden changes in file behavior should trigger immediate investigations. 

    6. Ensure data backups are secure 

    Backup all client files and sensitive data frequently, storing them in secure, offline locations. This ensures the firm’s resilience in the face of a ransomware attack. 

    7. Use endpoint protection software 

    Advanced endpoint detection and response (EDR) solutions can identify malicious activities like RATs before they cause significant harm.

    The Takeaway

    The RAT tax scam exemplifies the growing sophistication of cyber threats targeting accounting firms. Capitalizing on the chaos of tax season, attackers use social engineering and malware to infiltrate firms, steal valuable data, and disrupt operations.

    To counteract these threats, accounting firms must prioritize cyber resilience, adopting robust email security measures, implementing employee cybersecurity awareness programs, and maintaining vigilant practices during high-risk periods. 

    By staying one step ahead, your firm can ensure that while tax season remains busy, hackers are kept firmly at bay. For practical insights on how to strengthen your firm’s cybersecurity posture, explore the Threat Intelligence Hub or download the latest Global Threat Intelligence Report

     

    Related Articles

    Email & Collaboration Threat Protection
    The State of Human Risk
    Email & Collaboration Threat Protection
    Securing Microsoft 365 Collaboration Tools: Beyond Basic Protection
    Email & Collaboration Threat Protection
    Predictions 2025: Strategic Partnerships Benefit Customers

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top