Security Alert: Tax Season Brings Increased Risk of Credential Stuffing Attacks
During tax season, online filing platforms experience a surge in user activity, making them prime targets for credential stuffing attacks. Fraudsters leverage automated bots to test stolen username-password pairs at scale, exploiting weak security controls to gain unauthorized access to taxpayer accounts.
A recent assessment by DataDome Advanced Threat Research of five major tax filing platforms found that while most employ bot mitigation solutions, critical gaps remain that allow attackers to conduct credential stuffing with minimal resistance. By strengthening defenses, tax platforms can disrupt automated credential stuffing attempts, preventing fraudsters from validating stolen credentials and gaining unauthorized access to user accounts.
Key findings
DataDome Advanced Threat Research evaluated account creation, login processes, and credential stuffing simulations using an open-source bot framework with default settings. The assessment uncovered the following vulnerabilities that make tax platforms susceptible to attacks:
- 100% of tested sites allowed automated login attempts: Despite deploying bot mitigation tools, none of the tested sites effectively blocked automated login attempts.
- Basic defenses, such as IP-based blocking, were insufficient and could be bypassed using proxies or VPNs.
- None of the tested websites implement IP geo-restrictions, allowing attackers to launch attacks from abroad without needing to use local IPs via proxies. This reduces their operational costs and makes large-scale attacks more feasible.
- Insufficient challenge mechanisms: Only one platform required a reCAPTCHA challenge during login, allowing bots to submit login attempts with little friction on the remaining 80%.
- Account enumeration risk: Attackers can determine if an account (email, phone, or username) exists based on differing website responses during login, password reset, or registration. One site reveals account existence during login without requiring a password, allowing attackers to validate accounts before credential stuffing attacks.
- Susceptibility to credential stuffing attacks: Credential stuffing attacks were successfully simulated on every tested platform, highlighting the lack of advanced behavioral detection in existing defenses.
Security risks
Unchecked credential stuffing attacks can lead to:
- Unauthorized access to tax accounts: Attackers testing stolen credentials can infiltrate user accounts and access sensitive financial and personal data.
- Vulnerability to account takeovers (ATO): While full account takeovers may be limited due to MFA implementation, fraudsters could still cause disruption or identify accounts for further targeted attacks.
- Erosion of platform trust: Users expect secure authentication processes, especially when dealing with highly sensitive information. Platforms that fail to implement effective defenses risk reputational damage and loss of customer confidence.
Recommendations for tax platforms
To mitigate the risk of large-scale credential stuffing attacks—and the significant financial risks they pose—tax platforms should strengthen their security posture by:
- Enhancing protection: Implementing multilayered, AI-driven cyberfraud protection to detect and block automated login attempts in real time.
- Strengthening adaptive authentication: Enhancing authentication methods for suspicious sessions by leveraging risk-based analysis and invisible challenges—applying additional verification steps only when necessary to disrupt malicious activity without impacting legitimate users.
- Preventing account enumeration: Masking account existence indicators to prevent attackers from confirming valid credentials before launching credential stuffing attacks.
Recommendations for filers
Filers using online tax filing platforms can take proactive steps to secure their accounts and personal data against credential stuffing attacks:
- Strengthen login security: Use unique, strong passwords and enable multi-factor authentication (MFA) to prevent unauthorized access, reducing the risk of account takeovers. Watch for account enumeration risks: if you receive an error message indicating that your email is incorrect or not registered, be cautious; attackers can use this information to identify valid accounts.
- Stay alert to suspicious activity: Enable notifications for login attempts, password changes, or other account modifications. Be wary of phishing attempts; fraudsters may send fake emails or messages pretending to be from tax platforms. Always log in directly from the official website rather than clicking on links in emails.
- Protect personal information: Use a secure, private network or a VPN when accessing your tax filing account to reduce the risk of interception. Ensure that your browser, antivirus, and operating system are updated to protect against security vulnerabilities. If possible, do not store credit card or banking information in tax platforms.
Conclusion
With tax platforms handling high volumes of sensitive data, securing authentication against credential stuffing is critical. Attackers can validate stolen credentials at scale with minimal friction, increasing the risk of fraud, refund theft, and unauthorized filing changes. Weak authentication controls also expose platforms to financial losses, reputational damage, and regulatory scrutiny.
By strengthening bot detection, adaptive authentication, and proactive monitoring, tax platforms can safeguard user accounts, reduce financial risk, and maintain trust in digital tax filing systems.
Related posts
How Plarium Uses Intent-Based Detection to Block 20M+ Malicious Requests a Month
Tell me more
Inside Kimwolf Traffic: How Residential Proxies Fuel Credential Stuffing, Web Scraping, & Fraud
Tell me more
How to Prevent a Brute Force Attack with these 5 Powerful Strategies
Tell me more
How does reCAPTCHA work? How it is triggered & bypassed
Tell me more
