Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Beware the Ides of April – Cybercriminals and Tax Season

Internet Tax Scams

Bad Actors Will do Whatever They Can to Take Advantage of the Lucrative Tax Season

Internet Tax Scams

Bad Actors Will do Whatever They Can to Take Advantage of the Lucrative Tax Season

Made famous by Shakespeare’s Julius Caesar, “Beware the Ides of March” was a message to Julius Caesar warning of his assassination on March 15. Although the consequences aren’t as dire, a similar warning is also in order for businesses and individuals in the U.S. around the Ides of April – the traditional tax filing deadline and, in recent years, a deadline for cybercriminals to profit from tax season.

This year the trend continues. There are numerous instances of bad actors requesting and selling items pertaining to tax fraud across criminal sites on the open and dark web. It has been reported that already at least 120,000 individuals have been affected by W-2 phishing incidents this year.

Analyzing keywords across known criminal and dark web sites, we see a 40% rise in mentions when compared to this same period in 2016. Words like “tax refund” and “W-2 form/info” are the most popular and on pace to eclipse the number of mentions last year. Consistent with this, the market for W-2 forms is alive and well with users willing to pay as much as $5 per form or receive a bulk discount, $100 for 30. W-2s marketed as “fresh from the company” command an even higher price at $10 each.

The potential for profit rises with more data. Cybercriminals claiming to have secured loan applications from a mortgage lender’s database are offering each application for $15. Not only does the buyer get W-2 information but other data that can make it easier to successfully file fraudulent tax returns.

In the face of the increased volume of phrases associated with tax fraud and evidence of tax fraud-related items for sale on criminal sites, user awareness is on the rise as are the IRS’s efforts to prevent fraudulent tax returns.

Earlier this year, the Treasury Inspector General for Tax Administration issued a report (PDF) on the results of the 2016 filing season. The report shows a continued decrease from 2013 – 2015 in the number of fraudulent tax refunds the IRS detects and stops, and attributes this to expansion of its processes to prevent such returns from entering the tax processing system to begin with. The IRS uses a variety of methods to detect and reject e-filed and paper tax returns:

Advertisement. Scroll to continue reading.

• Locking taxpayer accounts of deceased individuals

• Employing more than 180 identify theft filters to detect confirmed identity theft tax returns

• Limiting the number of direct deposit refunds that can be send to one bank account

• Screening tax returns filed using a prisoner’s social security number

However, these efforts haven’t dissuaded cybercriminals. The IRS reported a “400 percent surge in phishing and malware incidents in the 2016 tax season,” showing that cybercriminals continued tax-related fraud activity. And, as recently as March 17, the IRS issued a new warning about last-minute email scams.

But unlike Julius Caesar, who didn’t heed the warnings, there are plenty of ways businesses, taxpayers and tax preparation professionals can prevent themselves from falling victim to attacks. Individuals:

• Don’t click on unsolicited emails or attachments, no matter how “authentic” they may look.

• Change passwords frequently and never reuse corporate credentials for personal activity.

• Never give up sensitive data such as passwords, social security numbers and bank account or credit card numbers.

• Check for updates on the latest scams. The IRS website and twitter feed are great resources for this.

In addition to these best practices, businesses should:

• Implement an enterprise password management solution – not only for secure storage and sharing but also strong password creation and diversity.

• Proactively monitor for data dumps relevant to your organization.

• Implement multi-factor authentication for external facing corporate services like Microsoft Outlook Web Access, and Secure Sockets Layer Virtual Private Networks, as well as for software-as-a-service offerings like Google Applications, Office365 and, of course, for any tax preparation offerings you are using.

• Manage the use of privileged accounts and ensure the principal of least privilege is implemented not just for data but also for file, directory and network share permissions.

We all know cybercriminals aren’t easily discouraged and will go to great lengths to turn a profit. Individuals and businesses should stay informed of the breadth of attack techniques. For example, cybercriminals posing as taxpayers and requesting that tax preparers redirect deposits, or, conversely, posing as the IRS via texts and calls to further pressure and intimidate individuals to provide valuable data. Bad actors will do whatever they can to take advantage of this potentially lucrative season – so beware the Ides of April.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...