Tax Season is Prime Time for Business Email Compromise

February 15, 2018

Business Email Compromise (BEC) is somewhere north of a $5 billion annual global criminal enterprise, according to the FBI’s Internet Crime Complaint Center (IC3), dwarfing most other threats in terms of dollar losses, including ransomware and prolific banking malware such as GameOver Zeus. And right now, we’re in one of the criminals’ most lucrative periods on the calendar: tax season.

Like clockwork, BEC campaigns shift gears once January arrives, as fraudsters move away from solely targeting executives with the goal of committing wire fraud to include an expanded focus on stealing W2 information from organizations. W2s are a one-stop shop for those who sell and trade personally identifiable information (PII), and the ability to steal them at scale from an enterprise, tax-preparer or tax-processing company is a major coup for a criminal.

As Americans scramble to file tax returns, what works in the favor of defenders is that BEC remains a decidedly low-tech crime. For most of the year, the goal of these schemes is to commit wire fraud by impersonating an executive such as a CEO or chief financial officer. Through expansive social engineering, the fraudster learns who is responsible for authorizing a wire transfer and attempts to compromise their email account in order to authorize fraudulent transfers.

Now that we’ve hit tax season, BEC is also very much about W2s. An attacker who is able to spoof the email of a senior manager and order the targeted organization’s human resources department or payroll provider to send them all employees’ W2 forms in bulk has hit the jackpot. Left in their wake are hundreds of innocent employees who have phony tax returns filed on their behalf and refunds often issued to fraudsters rather than the rightful person, forcing victims to attempt to recover their refunds.

In 2016, the FBI warned organizations about a wave of PII theft where emails purporting to be from business executives requested all employee W2 forms for tax or audit purposes. Email compromise, however, is only one part of the puzzle; fraudsters also require the assistance of a money mule who willingly or unknowingly helps in cashing out. These attacks usually start with a convincing interaction over email, dating sites, or social networks that can include enticing a potential victim romantically, or through phony lottery or real estate scams, for example.

Law enforcement, meanwhile, faces an uphill battle in trying to prosecute these crimes given that many originate outside the United States; attackers based in Western Africa have long been particularly adept at BEC. A May 2017 FBI alert pointed out that Asian banks in China and Hong Kong, as well as the United Kingdom, are landing spots for fraudulent funds. As of last May, the FBI was aware of more than 22,000 victims of BEC accounting for nearly $1.6 billion in losses.

New controls implemented by the Internal Revenue Service, the government agency responsible for tax collection, aim to make it more difficult for criminals to commit fraud. One such control, the Identity Protection PIN (IP PIN) has reduced the efficacy of being in possession of fullz, or full packages of personally identifiable information. IP PINs are six-digit PINs assigned by the IRS to certain taxpayers in order to prevent misuse of their tax information. Fraudsters must now gather additional tax-specific information to pull off this type of fraud, researchers at Flashpoint said.

Flashpoint analysts said that criminals continue to advertise the availability of compromised tax forms and personal data culled from W2 and 1040 forms, sometimes selling it for less than $20 USD, a relatively low price indicating serious competition among criminals. Analysts said tax preparers are attractive targets for attackers and are the source of many breaches. Attackers have adapted their tactics and are now also seeking access to compromised Remote Desktop Protocol (RDP) servers containing tax processing software because of the PII stored on the server and the ability they may afford to file fraudulent returns.

BEC, meanwhile, remains a primary means for obtaining this valuable data in a relatively short time frame, and tax organizations should remain vigilant of social engineering and resultant phishing attacks until the April 17 tax-filing deadline.