With the 2021 tax season arriving, attackers are leveraging the event by trying to trick people into giving out login credentials.
Attackers are sending out emails that are disguised to look like W-2 and tax return forms from Microsoft One Drive to thousands of tax payers across the US.
When the victim clicks on the fake document in the sent email, they are taken to a site that looks like a blurred out W-2 form with a login prompt blocking it.
The attackers want the victim to input login credentials for adobe or any other site and use the harvested credentials to log into other online accounts owned by the victim.
When the victim inputs information into the password field it will report that the credentials were incorrect and after multiple failed attempts it will say "Identity can't be verified" and prevent the victim from inputting anymore credentials.
The idea to allow multiple failed login attempts is an effort to get as many different email and password combinations from the victim as possible for reuse.
If the victim uses the same password for multiple other accounts on the internet, the attackers will use the harvested passwords to log in and to those accounts.
Password reuse is a very common way attackers compromise accounts, so it is very important that you have a unique password for all of your online accounts.
Using a password manager helps will with managing your login credentials for multiple sites and will help you with having a strong and unique password for each login.
Some of the most recommended password managers are Dashlane (Paid), Bitwarden (Free) and 1Password (Paid).