“I’m so excited to do my taxes this year!”…said nobody ever. Most Americans don’t enjoy doing their taxes and, according to a recent survey, less than half think they have enough to cover the money they expect to owe this year. It’s safe to say tax season is stressful. But there’s one group of people who love tax season: criminals ready to take advantage with tax scams.
Like clockwork, every year cybercriminals target companies and individuals with the intent of stealing information that can be used for financial crime, including (but not limited to) filing fraudulent tax returns. In fact, the problem is so widespread that the Internal Revenue Service (IRS) has been publishing its “Dirty Dozen” tax scams for the past nine years in an effort to help educate the public.
The most common scams – including phishing, smishing, and Business Email Compromise (BEC) – focus more on compromising people than technologies. Additionally, this is the time of year when we see an increase in the sale and marketing of previously compromised personally identifiable information (PII). We see this across cybercrime forums with the specific theme of encouraging tax fraud.
Phishing and Smishing Tax Scams
Adversaries most commonly use tax-related phishing and smishing campaigns to steal PII from individual would-be. In these instances, criminals seek to take advantage of people who are already stressed or distracted by presenting something related to their taxes – an opportunity or a threat – that requires action. This can include information on how to file a tax return and where to get help doing so, money owed to the Internal Revenue Service (IRS), or (fake) good news of a windfall. Each of these themes is known to entice people to click on malicious links or provide PII used to compromise and victimize them.
Another equally dangerous phishing scam involves communications designed to steal a victim’s credentials for filing their tax return, either directly through the IRS or through a 3rd party application. When successful, this scam gives a criminal direct access to a victim’s PII as well as past tax returns and the current year’s tax return that has yet to be processed; allowing it to be edited and with funds redirected to the criminal.
When receiving emails or text messages claiming to be from the IRS (or any organization focused on taxes, such as tax preparation companies) the best course of action is to assume the communication is fraudulent and work to validate its authenticity. This may include independently finding the contact information for the purported sender (IRS, tax preparation company, etc.), instead of trusting the contact information provided, and reaching out to inquire about the message received. People who think they may have been targeted by phishing or smishing efforts related to their taxes can combat these threats by notifying the IRS.
- Phishing: Email suspected instances of phishing to the IRS to [email protected]
- Smishing: Forward any suspected smishing text “as-is” to 202-552-1226
- In a separate text, forward the originating number to 202-552-1226
Business Email Compromise
According to the FBI, there were nearly 2,000 BEC cases in 2021 that resulted in ~$2.4B in financial losses. For context, that means BEC was responsible for 48 times as much financial damage as ransomware – which is in the news almost daily – during the same reporting period. The reason BEC causes so much harm is that it’s relatively easy to execute and takes advantage of human interactions instead of weaknesses in technology. During tax season, BEC attacks focus on people within a target organization (including government agencies, educational institutions, and private companies) who have access to employee payroll information. In this type of BEC attack, criminals usually impersonate authoritative figures – such as C-Level executives – and request employee tax information from someone with access to payroll or tax records while applying the pressure of a short deadline.
Another effective, but markedly different, theme employed by criminals is to present a request for tax records that is overly polite and appears to be a routine administrative function unworthy of deeper analysis or inspection.
Marketing on the Underground Economy
The last trend regarding criminals’ love of the tax season is how PII is marketed on criminal forums of the deep and dark web, where we see an annual first-quarter uptick in offerings related to tax season. In fact, as you are reading this, there are hundreds of advertisements for the sale of completed IRS forms for just a few dollars apiece. Do you want some W-2s that make it easy to steal someone’s identity? No problem! How about completed 1040 forms from previous tax years? You can buy them in bulk. Or, if you’re really industrious, you can purchase corporate tax returns (IRS form 1120) from previous years to commit fraud with greater financial value. All of these are so readily available that the cost is nominal when compared to the potential financial outcome for criminals.
Criminals in possession of these forms have the means to file false tax returns on behalf of corporations and individuals, as well as use the included PII for other forms of fraud and identity theft. For aspiring criminals looking to get into the fraud business but unsure of how to be successful, advice and guidance are also available at no additional charge.
What Can You Do to Avoid Tax Scams?
The best defense is to be proactive, including all the rules that apply every day; be skeptical and vigilant when it comes to emails and text messages, don’t click on links from unexpected senders, accept that if something sounds too good to be true it probably is. Beyond that, automated monitoring of the deep and dark web for evidence of PII – and the tools to rapidly remove that content when discovered – is a great weapon for reducing risk and preventing harm. Another action we can take is freezing credit reports from Equifax, Experian, and TransUnion to thwart criminal efforts to open new fraudulent credit accounts.
To reduce the threat of fraudulent tax returns in particular, filing income tax returns as early as possible is a simple countermeasure because the IRS will only process one tax return per Social Security number. In the event someone has already filed a fraudulent return with your Social Security number, the IRS will reject your return…but don’t panic. Immediately file an IRS Form 14039 to alert the IRS to the fraudulent return so they can begin the process of restoring your identity.