Your Data, Their Gain: How Threat Actors Leverage Tax Season to Commit Fraud

In 2020, the IRS identified over US$2.3 billion in tax fraud schemes, including tax return fraud. And in 2021, we identified 113 breaches which resulted in more than 69 million exposed records, including tax information, documents, and other sensitive data; this year, we’ve already identified 15 breaches and 3 million exposed records. This number is certain to grow.

While tax return fraud is an issue throughout the year, it is, of course, most prevalent during tax season. Around the time when winter turns to spring, threat actors pursue W2 and other tax-related forms, which are chock-full of personally identifiable information (PII) and may provide them with the data they need to commit tax fraud, among other illegal activities.

It is vital to prepare for, preempt, and ultimately prevent attacks that can lead to various kinds of tax fraud. In this article, we:

• Explain how threat actors leverage tax season for profit by executing a variety of TTPs
• Detail the emerging risk apertures that fraudsters seek to exploit
• Outline best practices to prevent attacks, keep your data safe, and mitigate risk

Tax return fraud

Also referred to as stolen identity refund fraud (SIRF), tax return fraud occurs when a return is filed under someone else’s identity. Threat actors accomplish tax return fraud through the use of stolen personal information, which is leveraged to file tax returns under another individual’s identity. Threat actors targeting tax return fraud typically file electronic returns as early as possible in the tax season in order to claim refunds before the legitimate filer. 

Sourcing stolen identities

To prepare for this scheme, fraudsters build up information on their victim through collecting tax documents, Social Security numbers (SSNs), full names, addresses, credit reports, and other personal information. Identities used for fraudulent returns can be sourced from a number of places including data breaches, phishing campaigns, spear-phishing scams targeting tax professionals, and Remote Desktop Protocol (RDP) accesses. Fraudsters can target both individuals and tax preparation services, building up “fullz” (slang for “full package of personally identifiable information”) to file returns en-masse, or attempting to gain access to personal information and tax software accessible by tax preparers. 

Using “fullz”

Threat actors will either purchase “fullz” on an illicit marketplace, or otherwise identify a victim and aggregate additional personal information like full names, addresses, phone numbers, employment, education, and Social Security Numbers. This information can be gleaned from publicly accessible background check tools, social media profiles, data breaches, and phishing attacks. 

Once a victim is identified, the fraudster can then begin the filing process—again, the earlier in the tax season the better. Some fraudsters do so with the help of stolen tax documents, although many manually calculate figures using the IRS’s tax withholding estimator to create their desired refund amount and avoid incorrect calculations. 

Many fraudsters work within the underground economy of illicit forums and marketplace to form “partnerships”; trading information and sharing resources to help gather fullz, file correctly, and cash out successfully. 

Threat actors may also target RDP (Remote Desktop Protocol) accesses to PCs with access to tax preparation software. These accesses allow fraudsters to file on legitimate and registered tax software, helping falsely filed returns avoid additional scrutiny. 

Filing with the help of automated software

Automated filing software, observed in multiple online forums and illicit chat services, helps fraudsters file hundreds of fraudulent returns en-masse. Threat actors input fullz information into the program, where it automatically fills out tax returns with the victim’s information. While fraudsters must manually complete email and CAPTCHA verifications, threat actors claim such programs can submit up to 1,000 returns in an hour.

Threat actors appear to primarily target the IRS’s FreeFile system with this tactic, though Flashpoint has observed other tax services targeted with similar software. While this method appears to have relatively low rates of acceptance and successful cash out, analysts assess that threat actors will continue to target tax services with similar tactics.

Taking advantage of the IRS’s backlog

The unique landscape brought about by the COVID-19 pandemic has also created increased opportunities for stolen identity refund fraud. The third round of Economic Impact Payments (EIP), (advance payments of the 2021 Recovery Rebate Credit) can be claimed on a 2021 tax return as a tax credit. The third installment of EIPs, worth US$1,400, is an attractive target for threat actors in the 2021 tax season. Unclaimed stimulus checks are relatively easy for fraudsters to claim, especially from victims who recently turned 18, or other filers who did not previously qualify for the Economic Impact Payments. 

Discrepancies involving claims for the Recovery Rebate Credit also contributed to the IRS’s backlog of unprocessed returns, which has created additional opportunities for fraudsters to commit tax return fraud. As of December 2021, the IRS reported that 35.3 million returns still await manual processing from the 2020 tax season. This backlog enables fraudsters to take advantage of unfinalized Adjusted Gross Income (AGI) figures—a figure from the previous year’s tax return used by filers to verify their identity. Unfinalized returns do not have an accurate AGI figure, meaning that fraudsters do not need to verify that information to file a return.

Social Engineering and Business Email Compromise (BEC)

Threat actors and threat actor groups leverage social engineering tactics, like phishing or voice phishing (vishing) in order to trick human resource departments to disclose employee PII—in the form of W2s. In some instances, the actor could pretend to be a CEO or director requesting employee data for tax filing or auditing purposes. In 2018, the FBI warned of tax season-related W2 phishing scams. 

Threat actors consistently target organizations using business email compromise (BEC) and other fraud schemes that attack executives to access confidential data. BEC accounted for an adjusted loss of $1.8 billion in 2020, according to the FBI’s Internet Crime Complaint Center’s annual Internet Crime Report. During tax season, BEC is often used to trick employees into sending PII to individuals pretending to be company executives or other trusted parties, including W2 and other tax forms.

How do threat actors make money from tax fraud?

Stolen identity refund fraudsters who successfully file an accepted tax return will then attempt to cash out their refunds. While some fraudsters may attempt to create bank accounts under their victim’s name for cash out, prepaid cards offered by some tax preparation services are considered an easy way to receive funds. 

“Cashout” services are also offered by threat actors in illicit forums and marketplaces, wherein fraudsters will launder tax refund payments within the automated clearing house (ACH) network to cash out illicit funds. They can act as recipient accounts for transactions of compromised funds from electronic payment systems with stolen credit cards linked to them. 

Threat actors may also attempt to launder funds into cryptocurrency. The decentralized nature of peer-to-peer cryptocurrency exchanges is highly attractive to actors seeking to launder funds. Although these services are legitimate, the accountability and transparency adhered to by a number of larger centralized exchanges is not mandated, and they therefore challenge law enforcement efforts to track potential cases of abuse. 

Emerging risk apertures

Third-party risk

Frauders will likely employ tried and true methods of business email compromise, buying and selling of fullz, and offering tax fraud-related services as they generally require little technical acumen or sophistication. 

The identity theft fraud landscape has grown due to the use of third-party vendors along the software supply chain, like cloud service providers, who introduce a host of new risk apertures into the tax fraud space. Fraudsters may target cloud resources storing personally identifiable information that could be used to file for fraudulent tax returns.  They could also target resources that directly store tax documents or information.

Financial services

Accounting services, including CPA’s, tax preparation, payroll services, and bookkeeping, were responsible for 24.7% of 2021 tax breaches. Financial services, including banks, credit unions, savings & loans, mortgage brokers, and financial advisors, were responsible for 23.3% of 2021 tax breaches.

Other business groups, including manufacturing, real estate, and insurance were also targeted, demonstrating that all industries are at risk.

Common tactics include the aforementioned social engineering tactics, as well as ransomware and malware, exploited software vulnerabilities, and misconfigured databases that left records exposed.

How to prevent attacks, according to the FBI, IRS, and FTC

In 2018, the FBI suggested that to best protect against social engineering attacks like business email compromise, organizations should consider implementing additional security measures like implementing a PIN or other form of multi-factor authentication to approve transfer of tax-related information. 
In November 2021, the IRS outlined basic safeguards to protect against identity theft as the 2022 tax season approaches. Among these are the use of updated security software, using the “stop malware” feature on anti-virus software, being cognizant of phishing scams, using strong and unique passwords, using multi-factor authentication whenever possible, only shopping on sites that are TLS encrypted (HTTPS over HTTP), not using public or unsecure Wifi, securing your home WiFi network with a password, backing up files from your computer and mobile phones, and creating a virtual private network (VPN) to connect to external networks like that of an office. The IRS also notes common warning signs that could possibly lead to identity theft. They note that fraudsters will try to impersonate government agencies via email or text message, relaying false information about refunds or stimulus payments. The IRS notes that they will never call or send unexpected messages about refunds.

Understand threat actor TTPs, prevent fraud with Flashpoint

Flashpoint gives you the threat intelligence needed to have visibility into threat actor groups, the risk apertures they seek to exploit, and the potentially serious threats they pose to organizations across both the public and private sectors, including tax fraud and other illicit activities that may ensue when credentials are compromised. Sign up for a free trial today to keep your organization’s assets, data, infrastructure, and personnel safe from threats.