Why Scammers Want Your Tax Returns (and how to stop them)

Hackers very often have to handle a lot of money, and keep it away from the authorities.

It’s almost here – April 18, tax day in the U.S. As businesses and employees prepare their tax returns, cybercriminals are once again ramping up efforts to steal this information, and they are getting more intelligent every year. 


How it works

Business Email Compromise (BEC) scams have been on the rise since 2016, and tax season is another large uptick in numbers so much so that it caused the IRS to issue a warning to organizations on the high risk of these attacks.

BEC scams are simple in execution and are all focused on one thing – to compromise business email accounts in order to facilitate phishing scams to achieve unauthorized fund transfers to fraudulent accounts around the world. However, cybercriminals operating this particular type of scheme must perform a significant amount of research prior to attempting an attack on a target. It takes a firm understanding of the target company, how they operate, and even the interpersonal relationships of employees to effectively reach the desired outcome.

For BEC scams targeting tax refunds, scammers pose as the CEO and request employee payroll and W2 information from someone in finance or HR. If successful, this information is then used by the attackers to steal tax refunds from their intended recipients. Trend Micro recently published a report on West African cybercriminals who utilize this threat extensively.


What to do about it

To counter the threat, all individuals in a company with access to employee data should be notified of BEC threats, and reminded of the increased risk of attack during tax season. Also, employees need to be reminded that the types of information requested by cybercriminals should never be sent over email unless it’s encrypted.

To help inform yourself and your employees on the dangers of spoofing, the Department of Justice, the IRS and the Federal Bureau of Investigation (FBI) have provided example content of emails confirmed to have been fraudulent. Here are some things to watch for:

• Requests that discourage contacting the executive for confirmation.

• Emails containing the following language:

  • “Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W‑2 of our company staff for a quick review.”
  • “Can you send me the updated list of employees with full details such as name, social security number, date of birth, home address and salary.”
  • “I want you to send me the list of W-2 copy of employees wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.”
  • Email communications allegedly from the IRS or other tax companies. The IRS has explained that it does not send unsolicited email, text messages or use social media to discuss personal tax issues. Therefore, if an employee of your organization receives an email or telephone call from someone claiming to be an IRS employee and demanding money, it may be helpful to consult the IRS Tax Scams/Consumer Alerts webpage: http://www.irs.gov/uac/Tax-Scams-Consumer-Alerts

Businesses should look into email security solutions that have the ability to identify and block socially engineered emails that in particular do not have an attachment nor an embedded link. The tax scam emails typically only contain content asking the employee to send the employee PII data.

Other options for protecting against BEC scams are:

Knowing that these threats use email as an attack vector, companies should strengthen employee education and invest smartly in advanced email protection. With these, the threat of BEC attacks can be greatly reduced.

Leave a Reply