Targeting Accounting Firms with the RAT Tax Scam
Cybercriminals exploit tax season to prey on accountants through sophisticated email scams
Key Points
- According to Mimecast threat intelligence, advanced malware delivery methods exploiting mega.nz, ScreenConnect, and ESPs like Sendgrid are utilized to circumvent traditional security measures during the U.S. tax deadline season.
- Accountants are prime targets for cybercriminals during the American tax season; they experience social engineering attacks in combination with remote access trojans, known as the RAT tax scam that rely on their fatigue and overwhelm during this busy time at work.
- Mimecast’s threat researchers uncovered RAT tax scams, demonstrating how cybercriminals find their way to a victim. In the second half of February 2025, accounting firms were significantly attacked with tax-related social engineering emails.
During tax season, accounting firms, which are often hectic and overloaded with work, become prime targets for cyberattacks. One of the more insidious schemes is the RAT (Remote Access Trojan) tax scam, which leverages social engineering and malware to steal critical credentials and sensitive client data. Keep reading to unpack the mechanics of the RAT tax scam, examine the techniques attackers use, and get tips to defend against such threats.
What is the RAT Tax Scam?
Remote Access Trojans or RATs are advanced malware programs that, once downloaded, enable attackers to take over a victim’s device. This allows them to monitor activity in real time, log keystrokes, and capture screenshots. The end goal is to gain access to sensitive accounts or client data.
What makes RATs particularly dangerous is their stealthy nature. Once active, they operate in the background, often undetected by the user.
Why Accountants are Prime Targets
During tax season, accounting firms often generate a significant portion of their annual revenue, while simultaneously managing an influx of both regular filings and new clients seeking assistance. Unfortunately, this stress-filled period offers a window of opportunity for cybercriminals, who rely on the distractions typical of tax season to launch attacks.
Accountants are attractive targets because of their access to both financial systems and PII (Personally Identifiable Information). From small CPA firms to multinational accounting corporations, the rewards for cybercriminals are immense.
Compounding the risk is that tax season often involves generating new business, making accountants more inclined to trust seemingly legitimate inquiries from potential clients. That makes a routine client inquiry feel timely and normal rather than suspicious.
How the RAT Tax Scam Works
The RAT tax scam usually unfolds in stages, starting with a harmless-looking inquiry and ending in malware delivery and data theft. Understanding that sequence helps show how attackers gain access to credentials, client files, and other personal information that can later be used for identity theft or broader financial abuse.
Step 1: The Bait Email
Threat actors begin by researching accountants and finding their email addresses through public sources or breached databases. Armed with this information, they send an initial inquiry email that appears legitimate, typically posing as a potential client.
For instance, a scammer might claim their usual accountant has retired and that they urgently need assistance filing taxes. The email includes no malicious links or attachments, making it appear harmless and bypassing mail security filters.
The threat actor is intentionally avoiding the usual traits of a phishing email at this stage. By keeping the first message clean and low-friction, the attacker reduces suspicion and makes the inquiry easier to trust.
Example from a Current Campaign Mimecast Stopped:
In the second half of February 2025, Mimecast detected a significant uptick in social engineering targeting accounting firms.
Scammers often save their payload for later emails. They propose attaching previous tax documents in follow-up correspondence. At this stage, they're primarily testing how receptive accountants are.
Step 2: Hooking the Target
Accountants, eager to capitalize on a new client during their busiest period, often respond promptly. At this point, they’ve been “hooked”—the attacker now has their trust.
Because the first email did not trigger obvious red flags, the accountant may quickly let their guard down and treat the sender like a legitimate prospective client. In some cases, the accountant may even invite the sender to forward tax documents or other supporting files by email.
Step 3: The Malicious Follow-Up
The threat actor sends a second email claiming to include the promised documentation (e.g., previous tax returns or IDs). Embedded within the second email is a malicious file with a deceiving filename like “ClientTaxDocument.pdf.exe.”
The file might lead to a shared hosting site, such as mega.nz , to further obscure its intentions. Attacks like this may rely on files that appear to be ordinary scanned documents or tax records. The goal is to make the follow-up feel like a natural continuation of the earlier conversation rather than a sudden shift in risk.
Upon download, the file executes malware like ScreenConnect , a tool that facilitates remote control over the victim’s device.
A Deceptive Setup
One variation of this attack even includes a fabricated recording of the victim’s supposed "previous accountant." This level of social engineering creates the illusion of legitimacy, luring unsuspecting users into enabling the malware.
Step 4: Remote Access and Data Breach
Once the RAT is active, the attacker begins harvesting data. In practical terms, that can happen within seconds of the file being opened or the malicious link being triggered. From there, the attacker may be able to watch the victim’s activity in real time as they enter passwords, open systems, and work with client records.
This can include login credentials, client PII (e.g., Social Security numbers, financial records), and even the accountant’s system access codes.
That exposure can also extend to home addresses, phone numbers, and other personal client details handled during tax preparation. For accounting firms, that makes the breach especially damaging because one compromised device can expose both firm access and highly sensitive client information.
The fallout from a successful RAT tax scam can be catastrophic. Stolen credentials allow hackers to infiltrate organizations, disrupt operations, and compromise client data. For attackers, these credentials can also unlock sensitive bank accounts, client databases, and financial systems.
The Role of Modern Phishing Campaigns
It’s worth noting that 2025 has brought more sophisticated phishing campaigns delivered through trusted email service providers (ESPs) like Sendgrid. Using legitimate ESPs further masks the malicious intent of these emails.
This underscores the need for accountants to double-check the sources of files shared via email and exercise due diligence while onboarding new clients digitally.
Defensive Strategies Against RAT Attacks
Because this scam combines social engineering, malware, and timing, defending against it requires more than one control. Accounting firms need system-level safeguards to reduce exposure during tax season and better protect both taxpayers and the firm from tax fraud.
1. Educate your team
Cybersecurity training is paramount, especially during high-risk seasons like tax time. Teach employees how to spot phishing scams and verify client identities via phone or other methods before clicking on suspicious links or downloading files.
2. Implement strong email security
Deploy solutions that can detect phishing attempts, even when malicious links or attachments are absent. Email authentication protocols, such as DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework), can help reduce domain spoofing. It’s important to utilize solutions which can identify business email compromise emails and stop them before delivery to avoid any potential engagement.
3. Be wary of file extensions
Encourage your team to inspect file extensions before opening attachments. Files ending in “.exe” are executable programs and should raise immediate red flags unless verified through trusted sources.
4. Limit remote access tools
Many cybercriminals exploit legitimate tools like ScreenConnect to gain access to devices. Restrict these types of programs and only authorize their use through approved IT protocols.
5. Conduct regular system audits
Closely audit network systems for unusual activity during tax season. Suspicious network traffic or sudden changes in file behavior should trigger immediate investigations.
6. Ensure data backups are secure
Backup all client files and sensitive data frequently, storing them in secure, offline locations. This ensures the firm’s resilience in the face of a ransomware attack.
7. Use endpoint protection software
Advanced endpoint detection and response (EDR) solutions can identify malicious activities like RATs before they cause significant harm.
The Takeaway
The RAT tax scam exemplifies the growing sophistication of cyber threats targeting accounting firms. Capitalizing on the chaos of tax season, attackers use social engineering and malware to infiltrate firms, steal valuable data, and disrupt operations.
To counteract these threats, accounting firms must prioritize cyber resilience, adopting robust email security measures, implementing employee cybersecurity awareness programs, and maintaining vigilant practices during high-risk periods.
By staying one step ahead, your firm can ensure that while tax season remains busy, hackers are kept firmly at bay.
Explore Our Threat Intelligence Hub
Subscribe to Cyber Resilience Insights for more articles like these
Get all the latest news and cybersecurity industry analysis delivered right to your inbox
Sign up successful
Thank you for signing up to receive updates from our blog
We will be in touch!