The IRS recently released an alert that warned tax professionals and taxpayers to be wary of last minute email scams. With April 18 looming, how concerned should individuals and businesses be by tax fraud?
On January 31, 2017, a report by Treasury Inspector General for Tax Administration’s “Results of the 2016 Filing Season” was published, demonstrating a reduction in the number of fraudulent tax returns identified between 2013 and 2015. Conversely, at the same time, the IRS reported a “400 percent surge in phishing and malware incidents in the 2016 tax season”, showing that cybercriminals continued tax related fraud activity. The number of identified fraudulent returns, therefore, was not indicative of the overall levels of tax fraud occurring.
The tax season represents a potentially lucrative time for cybercriminals. We have detected numerous instances of actors requesting and selling items pertaining to tax fraud across criminal sites: both on the open and dark web.
Although there is evidence of increased volume of phrases associated with tax fraud and evidence of tax fraud related items for sale on criminal sites, this must be placed into the context of increased user awareness and an expansion of IRS’s efforts to prevent fraudulent tax returns.
Assessing dark web and criminal chatter
In order to gauge the interest in tax fraud in 2017, Digital Shadows (now ReliaQuest) assessed mentions of keywords detected across known criminal and dark web sites. The frequency of these terms is shown in figures 1 and 2. The number of mentions in 2017 so far is already over 40 percent of the 2016 total.
Figure 1: Mentions of keywords associated with tax fraud detected by SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) across dark web and criminal sites, distributed by year
Figure 2: Mentions of keywords associated with tax fraud detected by SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) across dark web and criminal sites, distributed by the most popular phrases per year.
Items for sale on criminal and dark web sites
On February 16, 2017, the user ‘innermind’ on requested W2 forms in bulk on the AlphaBay forum. The user requested approximately 500 forms and was willing to pay $4 USD per form.
Figure 3: A post on AlphaBay from February 16, 2017
In another instance, a user named ‘Telepath’ on CrdClub offered, on loan application files from a mortgage lender’s database in California. The database contained tax forms such as W-2 information. The actor clearly references that you can use this for tax returns. He offered each set at $15 USD.
Figure 4: A post on CrdClub from September 2016
The user ‘mwenish’ on Carding Forum posted advert for “w2 fulls” on an unknown date. He offered each set for $5 USD with a bulk price of $100 USD for 30. The user received one response asking for more information.
Figure 5: A post offering tax refund full details on Carding Forum, Date unknown.
Figure 4 shows the vendor Medon on Hansa marketplace offering W-2 forms he claims were “fresh from company” on an unknown date. The listing showed 996 forms in stock at a price of $10 USD per item.
Figure 6: User selling W-2 forums on Hansa marketplace. Date unknown.
Conclusion
The tax season provides added opportunity for cybercriminals and it is no surprise that we have detected illicit items for sale. We have also observed a slight increase in the level of tax fraud terms in 2017. Organizations should be aware that personal information and employee tax forms hold great value for threat actors, with personal information commonly sold on criminal marketplaces.
However, this should be placed into the context of the IRS’s expansion of its processes to prevent fraudulent tax returns from entering the tax processing system and a greater emphasis on user awareness. In continuing to increase user awareness about phishing campaigns targeting this sort of information, individuals and businesses can better understand the risk posed during tax season. IRS provide some great resources for understanding the latest techniques used by attackers, which you can access here, or by following @irstaxpros on Twitter.