Bad Actors Will do Whatever They Can to Take Advantage of the Lucrative Tax Season
Made famous by Shakespeare’s Julius Caesar, “Beware the Ides of March” was a message to Julius Caesar warning of his assassination on March 15. Although the consequences aren’t as dire, a similar warning is also in order for businesses and individuals in the U.S. around the Ides of April – the traditional tax filing deadline and, in recent years, a deadline for cybercriminals to profit from tax season.
This year the trend continues. There are numerous instances of bad actors requesting and selling items pertaining to tax fraud across criminal sites on the open and dark web. It has been reported that already at least 120,000 individuals have been affected by W-2 phishing incidents this year.
Analyzing keywords across known criminal and dark web sites, we see a 40% rise in mentions when compared to this same period in 2016. Words like “tax refund” and “W-2 form/info” are the most popular and on pace to eclipse the number of mentions last year. Consistent with this, the market for W-2 forms is alive and well with users willing to pay as much as $5 per form or receive a bulk discount, $100 for 30. W-2s marketed as “fresh from the company” command an even higher price at $10 each.
The potential for profit rises with more data. Cybercriminals claiming to have secured loan applications from a mortgage lender’s database are offering each application for $15. Not only does the buyer get W-2 information but other data that can make it easier to successfully file fraudulent tax returns.
In the face of the increased volume of phrases associated with tax fraud and evidence of tax fraud-related items for sale on criminal sites, user awareness is on the rise as are the IRS’s efforts to prevent fraudulent tax returns.
Earlier this year, the Treasury Inspector General for Tax Administration issued a report (PDF) on the results of the 2016 filing season. The report shows a continued decrease from 2013 – 2015 in the number of fraudulent tax refunds the IRS detects and stops, and attributes this to expansion of its processes to prevent such returns from entering the tax processing system to begin with. The IRS uses a variety of methods to detect and reject e-filed and paper tax returns:
• Locking taxpayer accounts of deceased individuals
• Employing more than 180 identify theft filters to detect confirmed identity theft tax returns
• Limiting the number of direct deposit refunds that can be send to one bank account
• Screening tax returns filed using a prisoner’s social security number
However, these efforts haven’t dissuaded cybercriminals. The IRS reported a “400 percent surge in phishing and malware incidents in the 2016 tax season,” showing that cybercriminals continued tax-related fraud activity. And, as recently as March 17, the IRS issued a new warning about last-minute email scams.
But unlike Julius Caesar, who didn’t heed the warnings, there are plenty of ways businesses, taxpayers and tax preparation professionals can prevent themselves from falling victim to attacks. Individuals:
• Don’t click on unsolicited emails or attachments, no matter how “authentic” they may look.
• Change passwords frequently and never reuse corporate credentials for personal activity.
• Never give up sensitive data such as passwords, social security numbers and bank account or credit card numbers.
In addition to these best practices, businesses should:
• Implement an enterprise password management solution – not only for secure storage and sharing but also strong password creation and diversity.
• Proactively monitor for data dumps relevant to your organization.
• Implement multi-factor authentication for external facing corporate services like Microsoft Outlook Web Access, and Secure Sockets Layer Virtual Private Networks, as well as for software-as-a-service offerings like Google Applications, Office365 and, of course, for any tax preparation offerings you are using.
• Manage the use of privileged accounts and ensure the principal of least privilege is implemented not just for data but also for file, directory and network share permissions.
We all know cybercriminals aren’t easily discouraged and will go to great lengths to turn a profit. Individuals and businesses should stay informed of the breadth of attack techniques. For example, cybercriminals posing as taxpayers and requesting that tax preparers redirect deposits, or, conversely, posing as the IRS via texts and calls to further pressure and intimidate individuals to provide valuable data. Bad actors will do whatever they can to take advantage of this potentially lucrative season – so beware the Ides of April.