As Tax Day in the U.S. approaches, Microsoft has observed a surge in phishing campaigns leveraging tax-related themes to steal credentials and deploy malware. These campaigns utilize various redirection techniques—such as URL shorteners, QR codes in attachments, and legitimate services like file-hosting platforms and business profile pages—to evade detection. Microsoft identified that many of these phishing operations lead to payloads.

Several evil campaigns have been launched since February 2025 targeting U.S. users with tax-themed emails that used PDF attachments with embedded redirect links that eventually led to fake DocuSign pages. Scary!

These campaigns highlight the continued effectiveness of social engineering during seasonal events like tax season. Threat actors are increasingly using multilayered approaches—combining social trust-building, obfuscated file attachments, redirect chains, and abuse of legitimate platforms—to bypass detection and increase user interaction.

Remain vigilant looking for suspect emails and question everything!

WHAT CAN I DO TO PROTECT MYSELF?

• Protect your personal and business information on social media. Stop oversharing and be certain MFA is turned on.

• Filter unsolicited communication and identify lure links in phishing emails.

• Use multifactor authentication (MFA) on all accounts on all devices in all locations at all times.

• Use Microsoft Edge to identify and block malicious websites including phishing sites, scam sites, and sites that contain exploits and host malware.

• Use the browser URL navigator to validate that upon clicking a link in search results they have arrived at an expected legitimate domain.

STOP! DO NOT GIVE THEM YOUR MONEY!

Cybercriminals love AI. A new deepfake scam is spreading on social media. Many people have lost millions to it. Here are the details to help you avoid becoming a victim.

I HATE TO BREAK IT TO YOU…IT’S NOT ELON.

The tactic is called Nomani (yeah, that’s “no money”) and combines AI video, malicious ads on social media and email phishing. It started spiking May 2024 and grew 335% by the second half of the year. From May to November, ESET Cybersecurity says they blocked about 100 new scam URLs a day, adding up to 8,500 sites.

The video features a celebrity or politician (think Elon Musk, etc.) promoting a cryptocurrency investment on social media platforms like YouTube or Facebook. These videos may look like news segments or exclusive interviews and often involve a recognizable figure. The accounts sharing this content usually have many followers and use eye-catching graphics to attract viewers, claiming huge profits with no risk. If you click on their websites, you might just be sharing your information with a scam artist. In the worst case, the site could contain malware that steals your money or personal information.

IT GETS NASTIER…

Most of these tricks end with an “investment manager” calling to walk you through the process of transferring all your hard-earned money right to them. They pretend they’re helping you put it into a crypto investment account. Nope.

If you’ve already fallen for Nomani, you’re at even more risk. Scammers are going after victims a second time, pretending to be law enforcement trying to help recover your lost funds. Just awful.

KNOW THE RED FLAGS

Even if you think, “This could never happen to me,” read this list and store these tidbits away. They could save you someday.

• Hey, that’s blurry: Deepfake videos are often in low resolution to hide glitches. If your internet connection is just fine and other videos are clear, move on.

• What if the video quality is OK? Look for strange speech patterns, unnatural breathing, poorly synced audio and video, jerky body movements, and robotic-sounding dialogue.

• Don’t click: They want to get you off social media and over to their website to plant malware. Solid antivirus software can spy malware tricks you can’t.

• High pressure: If an ad says you can double your money by doing nothing, your scam radar should be going off!! No legitimate investment opportunity is urgent. When they pull out the pressure tactics, move on.

No matter the form, get-rich-quick schemes end one way: With less money and more regret than you started with. You have to be smart!

SCAM ONE: FAKE SHIPPING NOTICES

With more and more people engaging in online shopping, fake shipping notices can be increasingly difficult for consumers to identify. These deceptive messages often arrive through various channels, including text messages and emails, making them particularly aggravating and challenging to recognize. This type of scam is particularly effective during the holiday season when so many individuals are eagerly awaiting their deliveries. However, if you pay close attention and observe the details, you will notice that they all tend to follow the same predictable script. Here are signs of a fake shipping scam:

• Generates a Sense of Urgency

  • Usually they will tell you your package is delayed (for some reason) and offers the opportunity to take care of it by clicking the link that they have helpfully included in their message. Here is an example (minus their scam website) I pulled off my phone: U.S. Customs: You have a USPS parcel being cleared, due to the detection of an invalid zip code address, the parcel can not be cleared, the parcel is temporarily detained, please confirm the zip code address information in the link within 24 hours.

• Unsolicited Message

  • If you have ordered items for the Holidays, you may worry that this text/email might be a legitimate notice of failed delivery. However, stop and do not click the link. Instead, check with the place you ordered the product from directly and check shipping status with them. Don’t engage w/ the unsolicited message.

• Threat of some “bad outcome” if you do nothing.

• Putting a time limit, trying to force you to act quickly.

• The web address is usually a random looking that doesn’t match the sender.

SCAM TWO: GIFT CARD SCAMS

This one is easy! Anyone emailing or texting you to buy gift cards and send them the numbers off the back of the card is scamming you. Guaranteed. More info from the FTC: https://consumer.ftc.gov/articles/avoiding-and-reporting-gift-card-scams

SCAM THREE: SOCIAL MEDIA ADS

Finally, my least favorite category of online content: the ever-popular misleading social media ads. We’ve all seen thousands of these ads to the point where I truly hope we’ve developed a certain immunity to their allure, but there must be people out there who are still clicking on these enticing offers. An honorable mention in this realm would certainly be Wish, Temu, and Shein. The only guarantees with these platforms seem to be that what you see in their advertisements is often not what you actually end up receiving.

FOR MORE INFORMATION ON SCAMS, VISIT THE FTC LINKS BELOW:

https://consumer.ftc.gov/consumer-alerts/2023/12/fake-shipping-notification-emails-and-text-messages-what-you-need-know-holiday-season

https://consumer.ftc.gov/articles/avoiding-and-reporting-gift-card-scams

FROM THE DESK OF TODD SWARTZMAN, RealTime CISO

I had an informative call recently with a cyber insurance risk manager, and he mentioned that one of the primary drivers of the increasingly growing number of cyber insurance claims is what is known as contingent exposure. Contingent exposure refers to third-party risk. These are the potential risks that your own vendors, (along with their various processes, staff members, and even their own vendors) may inadvertently introduce to your business simply because you are a customer or a partner of theirs.

Many of us have experienced the repercussions of this on the personal side because of the significant CDK and Change Healthcare data breaches that occurred this year. Let’s not forget the disruption caused by CrowdStrike, which resulted in delayed flights for several days. While these companies directly faced these serious issues, many of us ended up suffering from the fallout in terms of lost time, increased frustrations, and, in some cases, delayed payments related to insurance claims. All this reinforces the importance of carefully considering how your business can better manage its third-party risks.

HOW TO MANAGE THIRD-PARTY RISKS

Managing third-party risks can often be as straightforward as simply asking vendors if they have a robust cybersecurity plan in place, including comprehensive cyber insurance coverage. This practice not only helps in assessing the overall security posture of these vendors but also ensures that they are prepared for potential cyber incidents. The cost of cyber insurance rates can be expected to rise this year due to the substantial claims that have been filed by Change Healthcare and CDK, highlighting the increasing financial pressures on the insurance industry in light of recent data breaches and security challenges.

FINAL THOUGHT.

Make sure your business has cyber insurance and make sure all of your third-party vendors have a cybersecurity plan/cyber insurance. It’s really that simple.

The #1 way to avoid a business email compromise (BEC) is to stop and think every time you’re interacting with an email (or attachment).

TELL TALE SIGNS OF A BEC ATTACK 

It’s pretty easy to spot a BEC if you’re paying attention to the emails that you open.

Your first RED FLAG… is if you receive an email and it prompts you to sign in directly from a link within the email to an account you probably use frequently such as a:

• Microsoft 365 account

• Google Workspace

• Drop Box

• Sales Force (etc…)

THE 2ND RED FLAG…

The second red flag within the email is if it prompts you to take action such as one of the following:

• Click the link;

• Download “something”;

• Listen to a voicemail;

• Look at an Invoice, Refund, etc…

If you click the link, the BEC email will take you to a “login page” that looks almost identical to a ‘real’ login page.

STOP!

1. Think about what just happened and why you would need to enter your email & password.

DID YOU CLICK THE LINK? OH NO. NOW WHAT SHOULD YOU DO?

1. Check the URL in the address bar of that logon page that the email lead you to directly. Is it the correct one for whatever you’re logging into?

2. Check with your security officer, IT department or IT provider if you have the slightest unease that this could be a scam. They should be able to assist.

3. Is this the type of thing you normally receive from this person? Maybe it’s ok, maybe not – if something doesn’t smell right, give them a call and verify if it’s legit.

These days, the number one strategy the bad guy uses is to try and get your username, password plus MFA approval within these fake logon pages. Most commonly a fake Microsoft 365 login page.

REAL VS FAKE

• Here is a real one, the address will start with: https://login.microsoftonline.com/

• The fake one will start with something other than https://login.microsoftonline.com/, there are tens of thousands of fake login pages created on any given day.

I hope this helps reduce your risk of an email compromise. Stay alert and think before you clink on a link in any emails!