Cyber Threat Actor: Moneytree Phishing Scammers
| Actor Type | Location | Known Incidents |
Criminal
|
United States of America
|
1 incident |
|---|
Profile
Moneytree Phishing Scammers is the alias used to describe a threat actor operating from the United States of America. The actor is known for conducting phishing campaigns that specifically target payroll and tax‑related information, employing social engineering tactics that involve impersonating company leadership to deceive employees into divulging sensitive data. No public attribution links the actor to a state sponsor or a larger criminal consortium, and the available information does not describe any malware families or custom tooling associated with their operations.
The actor’s observed targeting focuses on businesses within the financial services sector, particularly payday lending firms, with activities confined to the United States. Their strategic objective appears to be financial gain, as the stolen W2 details, names, addresses, Social Security numbers, and birthdates are subsequently usable for identity theft and tax refund fraud. The initial access vector consistently reported is a phishing email that tricks an employee into revealing internal payroll information, and there is no indication that the actor deploys malware or exploits technical vulnerabilities beyond this social engineering approach.
A notable example of the actor’s activity occurred on March 4 2016, when a payday lending firm suffered a data breach after an employee fell for a phishing scam that mimicked executive correspondence. The breach exposed payroll data for current and former U.S. staff, though customer records and internal systems remained unaffected. In response, the firm notified affected individuals, offered financial assistance to cover credit‑freeze costs, and pledged to improve its security posture. This incident is cited as part of a broader trend of W2‑themed phishing schemes that increase during tax season, illustrating the actor’s repeatable focus on harvesting tax‑related personal data for fraudulent purposes.
