It’s the most wonderful time of the year! Tax season again. In a decision to assist US taxpayers navigating the ongoing COVID-19 pandemic, the IRS and Treasury Department postponed the April 15 tax filing deadline to May 17. The UK reached a similar conclusion, giving UK taxpayers an additional month to send in their tax returns, changing the deadline from January 31 to February 28, 2021. Despite the changes, you don’t need me to tell you to get your house in order and submit your returns in good time and through the correct channels. Cyber threat actors are again placing a high priority on using the tax season as a conduit for phishing campaigns, unemployment fraud, and other social engineering scams that are typically prevalent at this time of the year. 

Mentions of tax related keywords across criminal forums and marketplace listings from January 2020
Fig 1: Mentions of tax related keywords across criminal forums and marketplace listings from January 2020

The COVID-19 pandemic has also resulted in a significant economic fallout across the globe; unemployment levels have spiked dramatically, causing an increase in the number of fraudulent unemployment requests made by criminal actors. The spike in claims has coincided with the more typical tax fraud observed in the lead-up to the tax return deadlines. In late September and early October, the demonstrable spike shown on the graphic above likely represents an interest from threat actors targeting the October 15th tax extension deadline. In this blog, we will dive into the types of tax and unemployment fraud observed in 2021.

Stealing W2 Tax Forms

A frequent item that Digital Shadows (now ReliaQuest) identified on criminal markets was the W-2 Internal Revenue Service tax form, used in the United States to report wages paid to employees and the taxes withheld from them. Targeting W-2 forms has been previously identified as a common tactic for cybercriminal actors, who can quickly monetize the information contained within each form and sell it to third parties for identity and related financial fraud. In the image below, an actor requests bulk loads of stolen 2019 1040 IRS tax forms and 2020 W-2 forms, with the actor willing to pay between $10-35 for each form. This post appeared in a high-profile Russian cybercriminal forum on 20 Jan 2021.

Exploit user requesting stolen W-2 and 1040 tax forms
Exploit user (name redacted) requesting stolen W-2 and 1040 tax forms

Advertising rendering services

Other recent posts on Exploit highlight how and why these types of data can so quickly be monetized, with actors offering their services in identifying and advertising stolen data as well as manipulating the data to permit various scams. On 9 Mar 21, an actor announced their services with a post titled “scanlab.cc document rendering service”. Services like scanlab provide actors with the ability to create various forged documents, using scanned copies of credit cards, passports, driver’s licenses, utility bills, birth/death/marriage certificates, and diplomas. 

This assists other actors in verifying data and proving income. Answering identification and proof of income-related queries is a common hurdle actors will have to cross when making fraudulent claims, like unemployment and other financial scams.

Exploit user advertises services for document forgery service scanlab
Exploit user advertises services for document forgery service scanlab

Defrauding Unemployment Benefits 

Unemployment benefits fraud involves criminal actors filing fraudulent benefit claims from the government, hoping to receive regular monetary payments. This scheme typically uses stolen details of real people or creates fake identities to claim cashback from government programs. These claims require a name, social security number or national insurance number, employment dates, proof of income from previous employment, and a job title. Digital Shadows (now ReliaQuest) have previously highlighted the risk from this type of fraud on our blog covering the COVID-19 threat landscape.

The scam is conducted due to background checks being insufficient and anticipating that employers approve the government’s unemployment notifications without checking the details are correct. Overwhelmed by hundreds of thousands of new claims, state and regional unemployment agencies don’t have the time to verify the claims’ accuracy properly. 

Once approved, criminal actors divert the funds by picking up the payment card from the mailbox, with the victim unaware of what has happened. Reporting in October 2020 identified that the number of victims reporting this activity has risen to 150% in some US states when compared to 2019. The ability to file claims virtually during the pandemic has enabled threat actors from any location to file unemployment claims. This activity has been observed throughout the entirety of the US and is depicted by the figure below.

Fig 2: Unemployment insurance payouts accuracy by State
Fig 2: Unemployment insurance payouts accuracy by State (Source: U.S Dept of Labor)

Targeting executives in unemployment schemes

One trend Digital Shadows (now ReliaQuest) observed in the past year was unemployment claims being targeted against executives; corporate executives are a promising target for scammers seeking to siphon billions of dollars in unemployment payments. One reason for the prevalence of these scams is due to the troves of personal information on executives that is easily identifiable in the public domain. 

Corporate websites often contain sensitive information on executives, facilitating further social engineering scams to reveal an insurance number or social security number. There is also a secondary impact to the executives’ business, with the affiliation to their brand causing reputational risk. Digital Shadows (now ReliaQuest) can assist in identifying and remediating exposures on individuals’ digital footprint through bespoke reporting. 

Implications for organizations and security practitioners

The various types of tax and benefit-related fraud highlight the ease in which threat actors can quickly monetize and exploit stolen personal and financial information. This trend will almost certainly continue to factor heavily on the threat landscape for 2021, with the COVID-19 pandemic providing actors with ample opportunity to commit fraud. Detection of these issues currently appears to be insufficient, and as a result, will likely incentivize additional actors to make similar claims. 

Basic cyber hygiene can assist in lowering the risk from many tax-related scams targeting individuals. Taxpayers should remain vigilant for phishing and other social engineering scams that leverage tax deadlines as a hook—these often impersonate the IRS (In the United States) or HMRC (in the United Kingdom). These scams typically use timeliness or fear to coerce recipients to interact with links or input details and can often be identified through errors within the email; incorrect branding within such emails, spelling mistakes, and other minute details can indicate an illegitimate request. If something doesn’t seem right, it usually isn’t. 

A robust approach to password management can also lower the possibility of identity theft and fraud. Users should use solid and single-use passwords, avoiding using corporate email addresses to sign up for personal websites, and use a password manager to assist in auditing password usage. If you think you or your company has been targeted by tax-related fraud, US citizens can report using steps identified by the IRS on the following website. In the UK, taxpayers can use the following service from the HRMC.

For protecting your organization against phishing scams, executive impersonation, or data exposure across the open, deep, and dark web, you can refer to our blog, The Complete Guide to Online Brand Protection. Ready to take proactive action on such scams and potential data loss? Get a 7 Day Test Drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.