Flash Report: New Tax Fraud Scheme Leveraging Employee Identification Numbers

Key Findings

• On February 11, 2024, well-regarded Russian-speaking threat actor “Journalist” disclosed a method of leveraging the legitimate gocardless[.]com service to identify corporate employee identification numbers (EINs) to conduct tax fraud schemes against U.S. citizens, on the Russian-speaking community “Coockie Pro.”  

• Threat actors can use EINs to create fake tax documents such as the W2 form and raise tax refund claims.

• Journalist provided screenshots of the method in action, seeming to successfully obtain the EIN for a U.S.-based construction company.

• ZeroFox anticipates schemes of this nature will continue to propagate amongst financially-motivated actors ahead of the April 15, 2024 U.S. tax return deadline. Tax refund and related schemes surge on the deep and dark web (DDW) in the run up tax season in the U.S. year-on-year.

Details

On February 11, 2024, well-regarded Russian-speaking threat actor “Journalist” disclosed a method of leveraging legitimate fintech services to collect information required for performing tax refund scams against U.S. citizens, on the Russian-speaking community “Coockie Pro.” 

• The method involves leveraging an entity’s EIN to conduct tax fraud schemes. 
• Threat actors can use the EIN to create fake tax documents such as the W2 form–an Internal Revenue Service tax form used to report wages paid to employees–and raise tax refund claims.
• Journalist advised leveraging gocardless[.]com, a service offered by a financial technology company specializing in online payment solutions, to register an account for free in the name of a targeted company in order to obtain their EIN. 

Journalist provided screenshots of the method in action, seeming to successfully obtain the EIN for a U.S.-based construction company, confirming the EIN’s authenticity by verifying it against another unnamed source.

• Journalist alleges to have obtained the EIN prior to paying for GoCardless’ Pro Plan, circumventing any barriers to entry in providing a legitimate payment method that might disclose a threat actor’s identity.

Tax refund and related schemes surge on the DDW in the run up tax season in the U.S. year-on-year, with Russian-speaking threat actors seeking to leverage innovative methods for financial gain. Journalists’ method demonstrates how a legitimate fintech service can be leveraged for performing scams against US citizens. ZeroFox anticipates schemes of this nature will continue to propagate amongst financially-motivated actors ahead of the April 15, 2024 U.S. tax return deadline. 

Recommendations

• Conduct social engineering awareness training programs that educate staff on how to identify phishing attacks, emerging trends, and how personnel should report suspicious incidents.
• Ensure an organization-level system is in place that enables employees to report suspicious email communications, to bring awareness to ongoing campaigns and protect other users. 
• Configure email servers to block emails with malicious indicators with macros disabled by default, and deploy authentication protocols to prevent spoofed emails.
• Scrutinize emails, even if appearing to have originated inside the organization. Look for incorrect or unusual grammar, spelling mistakes, mismatched hyperlink URLs, and illegitimate sender addresses.
• Implement secure password policies with phishing-resistant multi-factor authentication, complex passwords, and unique credentials.
• Adopt a Zero-Trust cybersecurity posture based upon a principle of least privilege. 
• Implement network segmentation to separate resources. 
• Develop a clear and comprehensive incident response strategy consisting of business resilience and continuity plans—including third party services’ incident reporting procedures and key authorities.