It's that time of year again, when Americans rush to file income taxes with the U.S Internal Revenue Service (IRS) and hackers fill inboxes with tax-related spam and phishing email attacks. As the Tax Day 2017 filing deadline of Tuesday April 18 nears, IBM Security is warning of a spike in tax-related spam email and related fraud scams that aim to exploit unsuspecting tax filers.
IBM is out with a new report today titled, 'Cybercrime Riding Tax Season Tides: Trending Spam and Dark Web Findings' that details how attackers are ramping up their efforts ahead of Tax Day 2017. According to the report, IBM X-Force security researchers have tracked a 6,000 percent increase in tax-related spam emails from December 2016 to February 2017. A year ago ahead of Tax Day 2016, the IRS issued a warning of its own, about a 400 percent increase in phishing and malware incidents during that year's tax season.
Limor Kessem, Executive Security Advisor at IBM Security commented that so far in 2017, IBM has seen an increase in the sophistication of tax fraud. She added that this year is also the first year that IBM is seeing campaigns that are targeting businesses.
"Last year, consumer tax fraud was the most common illicit activity linked with compromised taxpayer information," Kessem told eWEEK. "This year, things are getting bigger and bolder."
IBM's research this year has found that beyond the usual consumer fraud, cyber-criminals are now also going after businesses to rob IRS W-2 form data for batches of employees at once. Kessem explained that the stolen W-2 data is being used by the criminals to file numerous fraudulent returns, or sold in dark web markets to other criminals. According to IBM, some criminals are selling taxpayer information for as little as $50 per record.
Kessem explained that historically, cybercriminals have been selling what they call 'fullz' data sets in the underground, including victims' payment card data, contact information and personally identifiable information like date of birth, mother's maiden name and these also sell for up to $50 on the dark web.
"The taxpayer datasets are priced similarly because they contain a wealth of information on the victim, often offering up their annual gross income (AGI) to allow the criminal to file a return without additional challenge," Kessem said.
There is also a connection between tax-related fraud attacks and the growing problem of Business Email Compromise (BEC) attacks. With a BEC attack, a hacker sends a fraudulent request for payment or information to a company, that appears to be legitimate. On March 21, the U.S Department of Justice announced that it has charged a single individual in connection with a BEC scam that resulted in the theft of $100 million from a pair of U.S corporations. Kessem said that cybercriminals are using BEC fraud to trick employees in the finance or HR departments into both sending taxpayer data to the criminals and compromising the company’s bank account or making them unwittingly wire money to the criminals.
Overall, Kessem noted that fraudsters have a variety of ways to get taxpayer information, depending on their technical skill levels. The lower end, but nonetheless dangerous breeds of criminals, use social engineering and BEC scams to lure employees into sending them bulk W-2 data in the guise of a request from a CEO or a CFO. She added that some criminals phish the data by taking over the accounts of victims that file via tax software vendors.
"The more technically inclined may breach a company’s infrastructure to steal data directly from their internal servers," Kessem said.
One trend that hasn't quite yet landed in the U.S yet is ransomware linked tax scams, though IBM has seen that in the U.K. Kessem said that that what IBM looked at for its' report is ransomware in tax-themed emails, finding Cerber malware in the UK.
"We did not find this specific case related to taxes in the US, but ransomware does use a plethora of ploys to get on American users’ endpoints, so it could be the case that some small campaigns of this nature did take place," Kessem said.