Anti-fraud measures by the Internal Revenue Service (IRS) and state agencies over the past two years have made tax refund scams harder for cyber criminals to pull off even as attacks targeting taxpayer information continue unabated.
So far this year, at least 124 organizations have disclosed incidents in which an office worker or payroll processor inadvertently leaked employee W-2 data after being conned by a phishing email purporting to be from the CEO or other senior company official.
The biggest so far is an incident at American Senior Communities in which W-2 data belonging to 17,000 employees was compromised after a payroll processor provided the information to an offshore scammer posing as a top company executive. ASC officials discovered the leak only after several employees complained of being unable to file their 2016 taxes because someone else had already filed it.
As with previous years, a majority of victims are school districts, a list maintained by Databreaches.net shows. But numerous businesses, healthcare organizations and government agencies have been hit as well. Some of the breaches like ones at Amalgamated Sugar and Autoneum North America exposed W-2 data on more than 2,000 employees while others were smaller in scope affecting tens of employees.
In several cases, the attacks have involved sophisticated new phishing techniques, says Patrick Wheeler, director of threat intelligence at Proofpoint.
“We have seen a mix this year in terms of sophistication,” Wheeler says. “For example, we observed phishing templates that have been in circulation for years with only minor modifications. In other cases, we have seen actors using more sophisticated techniques we normally associate with Gmail, Dropbox, or PayPal phishing.”
Examples of these techniques include typosquatting or URL hijacking, JavaSript encryption, phishing templates attached to emails, extremely realistic phishing templates with stolen branding, and mobile support for uploading tax and identification documents.
Looking beyond W-2 data
Another change that has begun emerging is the quest by hackers for taxpayer data that goes beyond what is contained in W-2 forms.
IRS anti-fraud measures, such as the recent introduction of a new 16-digit alphanumeric authentication code on W-2 forms, have made it harder for scammers to file fraudulent tax returns using only stolen W-2 data, says Adam Meyer, chief security strategist at SurfWatch Labs.
So information such as the Adjusted Gross Income (AGI) number from previous year tax returns, for instance, has become a valuable commodity to criminals, Meyer says.
Many tax-related forms have begun asking for that information and other data such as birth dates and driver’s license numbers as secondary authentication measures. “I think you are going to see a shift in cybercriminal tactics,” as a result of these changes, Meyer predicts.
Shift in tactics
Increasingly, the focus for attackers will be to build more complete dossiers on individuals using data culled from different sources and via different phishing and social engineering lures.
Already, W-2 forms that include AGI and date of birth information sell at $50 per piece in the dark market, or five times the price of just a W-2 form alone. Expect to see more phishing and business email compromise attacks that target AGI and other authentication data, he says. Some attacks will be targeted at individual taxpayers, others at tax preparers, or organizations that require AGI information.
“If I had to put a forecast around it I would speculate that mortgage lenders would be a significant target as mortgage paperwork requires all the information to commit tax fraud,” Meyer says. Traditionally, the exchange of mortgage documents between lender and borrower is highly insecure and done in the clear over email, making it an easy target for attack.
Meanwhile, the IRS last week warned of a surge in last minute email scams targeting both taxpayers and tax professionals. “As the 2017 tax filing season winds down to the April 18 deadline, tax-related scams of various sorts are at their peak,” the IRS cautioned.
The IRS, working with state tax agencies and the tax industry has implemented multiple changes for 2017 to reduce the risk of identity theft and tax refund fraud. But cybercriminals have evolved as well and are resorting to sophisticated scams to trick people into parting with private data, the agency said.
“For example, one new scam poses as taxpayers asking their tax preparer to make a last-minute change to their refund destination, often to a prepaid debit card,” it noted.
Slowing the rampage
Cautions over phishing and business email compromise scams targeting W-2 and other tax data come amid signs that IRS efforts to curtail tax refund fraud and identity theft are paying off.
IRS statistics show that the number of fraudulent tax returns that made it into the agency’s tax processing systems last year was nearly 50 percent lower than in 2015. Between January and September 2016 the agency blocked some 787,000 tax returns that had been fraudulently filed, preventing more than $4 billion in losses in the process.
In the same period a year before, about 1.2 million fraudulently filed returns representing over $7.2 billion in refund claims found their way to IRS processing systems before being blocked. In all, the total dollar amount of suspect refunds through Sept 2016 was $239 million or almost $600 million lower than in 2015.
Phishing and other attacks targeting individual taxpayers also appear to have decreased significantly compared to last year, says Joseph Opacki, vice president of threat research at PhishLabs.
Over the past year, there has been a nearly 66 percent decrease in unique phishing domains targeting IRS and tax preparation firms combined and a 75 percent decrease in domains solely targeting the IRS, Opacki said.
A collaborative effort
The drop-offs appear to be the result of work that the IRS has been doing with the help of the tax industry and state tax agencies to curb fraud.
Starting this year for instance, all tax returns transmitted by tax preparation firms to the IRS contain 32 new data elements for authenticating taxpayer identity.
Tax agencies in nearly two-dozen states are working with financial services companies to create a system for flagging suspicious refunds before they get deposited into an account or prepaid card. In most cases, the changes will be all but invisible to taxpayers and presumably those attempting to file returns fraudulently on their behalf.
The 16-digit W-2 verification code—being tested on some 50 million W-2s this year—is another initiative designed to combat fraud, though some, like PhishLabs’ Opacki are not confident about how useful this particular measure will be.
“Phishers can incorporate entry of the verification code into their phishing page, like we see done with security questions, PIN, or any other attempts at unique identifiers,” he says.