For everything there is a season and for tax scammers that time period are the months leading up to income tax filing day, April 18.
IBM's X-Force researchers noted in a report released today called Cybercrime Riding Tax Season Tides a 6,000 percent increase in the number of spam emails containing a specific form of tax form, such as W-2s, fraud between December 2016 and February 2017. At the same time the amount of spam that uses a generic tax themed message to entice the recipient into opening the email or attachment has also skyrocketed, with the number being pushed basically doubling every month starting in January.
The data that is mined or stolen during these scams can be used for many purposes. Sometimes the criminals want to cash in quickly and sell the data on the dark web, while in other cases they play a longer game filing false tax returns and waiting for the money to roll in from the federal government.
One of the most dangerous, and common, tax scams uses spearphishing attacks to try and pry employee W-2 tax forms from a company or organization. This entails sending to someone in human resources or payroll a fraudulent email pretending to be from a corporate executive. The exec asks the staffer for a download of all the worker's W-2 forms. Tax returns are then filed in the name of the workers. This scam netted cybercriminals $3.2 billion and caused headaches for countless people who had their tax refunds stolen.
Many of the scams spotted this year were also in play in 2016, but IBM's executive security adviser Limor Kessem noted there were some new twists being used this time around.
"Most of the scams we observed in the report did exist last year, but what was particularly interesting this time around is the focus of criminals on businesses. In general terms, there are less criminals that have the skills to attack a business. This year, we are seeing that even the less technically inclined are intent on stealing data and money from businesses, and if they lack technical knowledge, they fill the gap by social engineering and going after the lower hanging fruit," she told SC Media.
IBM found that a full, or Fullz in Dark Web jargon, tax record that not only contains W-2 and W-9 information, but also all other relevant personal information can bring $40 per record on the Dark Web.
The criminals also sell some data on an a la carte basis. IBM found a vendor selling tax payer return data, along with the victim's W-2 and 1040 forms for $30. However, if the buyer also wanted the person's adjusted gross income amount from the previous year's return, which the IRS uses to validate a new return, the purchaser needs to pay another $20.
Another batch of records found for sale contained a complete data kit to file a person's 2016 taxes for $50, and because these criminals understand how capitalism works they are willing to discount for bulk purchases offering to sell between 60 and 100 such records for just $15 each.
There is even an online university for wannabee tax fraud scammers. Online tutorials are offered for between $1 and $15.
All payment due in Bitcoin.
To obtain the data IBM found a variety of different techniques in play this year.
One scam simply uses the tax season as the bait for the phishing scam. Instead of stealing data these emails tell the recipient that their return has been processed and they are due a handsome refund, but to get it they must open the attachment and enable macros to run. At this point any one of a dozen different payloads can be dropped onto the person's computer, including ransomware.
While W-2 scams grab most of the headlines there are several IRS forms that can be exploited. Another type is the W-8BEN form for non-residents. This time around the bad guys are not looking for money, but data.
“Scammers are after non-U.S. residents in this case, aiming to phish victims' personal details and obtain copies of their passports in order to steal their identity and use it in different fraudulent scenarios,” IBM reported, adding the attachment in this case is a PDF requesting that a long list of personally identifiable information be filled in and returned.
Another methodology being used this year has the criminal sending out emails from a tax preparation software company, like TurboTax or Tax Act, in the hope that the victim has really used this software to prepare their taxes. In these cases the victim is asked to click on a link that leads to a fake site where the person is asked to input their account credentials, which are then used by cybercriminals to hijack the account.
The good news is these are easy to spot if the target takes the time to really read the email.
“Some emails using this ploy should be easier to identify because they come from domains entirely unrelated to the companies they aim to impersonate,” IBM said, “In other cases, the attackers did make the effort to register a dedicated domain resembling the name of the vendor they are impersonating.”