All About HackingBlackhat Hacking ToolsFree CoursesHacking

Tax-Related Scams 2023

In this article we will learn about Tax-Related Scams.

American authorities warn of a significant increase in the number of tax frauds in parallel with the tax season. The Internal Revenue Service (IRS) has confirmed that cybercriminals are stepping up their activity and adopting new techniques to monetize their efforts.

Security researchers and government experts who track fraudulent activities related to tax fraud have confirmed an increase in phishing activities during this period.

Since 1955, April 15th has been tax day for people living in the United States. Because of Emancipation Day in Washington D.C. (which is observed on the weekday closest to April 16), when April 15 falls on a Friday, tax returns are due on the following Monday; if April 15 falls on a Saturday or Sunday, the tax return is due on the following Tuesday.

This year, Tax Day will be on Monday, April 18, which is why security experts believe we’re at a crucial stage where fraudsters will try to trick victims with malicious messages pretending to be from the IRS.

In February, an IRS bulletin reported a 400% increase in tax-related phishing and malware, in fact the government agency reported 1,026 malware and phishing incidents compared to 254 last year.

Related articleEverything you need to know about Ethical Hacking as a Career by Blackhat Pakistan 2023

The IRS is warning taxpayers about newer forms of attacks designed to trick victims into disclosing account credentials to third-party tax preparation services.

“The Internal Revenue Service has renewed its consumer alert on email scams after seeing an approximately 400% increase in phishing and malware this tax season,” the bulletin said. “The emails are designed to trick taxpayers into thinking they are official communications from the IRS or others in the tax industry, including tax software companies. Phishing programs can ask taxpayers about a wide variety of topics. Emails may seek information related to refunds, submission status, confirmation of personal information, ordering transcripts, and verification of PIN information.”

IRS Commissioner John Koskinen describes the situation as “dramatic” and urges taxpayers to beware of fraudsters.

“This dramatic spike in these frauds comes at the busiest time of the tax season,” Koskinen said. “Beware of scammers who drop these official-looking emails into their inboxes and try to confuse people while they’re working on their taxes. We urge people not to click on these emails.”

Figure 1 – IRS Building

Fraudsters intensify their operations during this period; a common attack scenario involves victims receiving an email containing links to a domain hosting an exploit kit such as Angler EK that delivers malware to visitors. In other cases, attackers used malicious emails with attachments that contain documents containing malicious macros. Once victims open the document and enable the macros, the embedded code drops malware on the victim’s computer, including the dreaded ransomware such as CryptoLocker, TeslaCrypt, and Locky.

The IRS recently provided the following statistics on fraudulent tax-related activity:

  • In January, 1,026 incidents were reported, up from 254 a year earlier.
  • This trend continued in February, almost doubling the number of reported incidents compared to the previous year. A total of 363 incidents were reported between February 1 and 16, compared to 201 reported for the entire month of February 2015.
  • This year’s 1,389 incidents have already surpassed 2014’s annual total of 1,361 and are halfway to 2015’s total of 2,748.
  • Once the PII is obtained, cybercriminals will use corrupt tax companies or online tax software to file fraudulent tax returns with the stolen identification information. The only legitimate information fraudsters need to file a fraudulent tax return is the victim’s name and social security number.

This data can be obtained in a variety of ways, computer hacking, online purchase of stolen PII, physical theft of data from victims or third parties, impersonation of government officials through phishing and vishing, theft of electronic medical records, and OSINT investigations.

“Get Transcript” Hack.

More recently, IRS services have been exploited by cybercriminals, in May 2015 the Internal Revenue Service was breached by hackers who “used an agency-provided online service” to access the data of more than 100,000 taxpayers.

Following the incident, the IRS released an official statement revealing that hackers had abused the “Get Transcript” service, which taxpayers commonly use to obtain a transcript online or via email to view transactions on their tax accounts.

To obtain a transcript online, users must provide a social security number and an active email address. Once an email address is confirmed as legitimate, the IRS procedure asks users several questions about personal, financial and tax information before making the transcript available for download.

Hackers bypassed a security screen requiring user information such as SSN, date of birth and address to access taxpayer data.

The IRS counted more than 200,000 attempts, about half of which were successful. The IRS was forced to temporarily suspend the service, with government agency officials confirming that the service was targeted by hackers over a two-month period from February to mid-May.

“The Get Transcript online service is currently unavailable. Transcripts can still be ordered using the Get Transcript by Mail service. We apologize for the inconvenience,” the IRS said in a statement.

Figure 2 – IRS Get Transcript Service

“In total, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles,” an IRS spokesperson said in a statement to reporters. “During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.”

In August 2015, the Internal Revenue Service provided an update on the incident, revealing that 334,000 taxpayers (more than triple the original estimate) may have been affected by the hack announced in May.

Data recently shared by the IRS confirmed that the agency detected roughly 464,000 unauthorized attempts using unique SSNs, and 101,000 attempts allowed fraudsters to generate PINs.

The U.S. Internal Revenue Service has confirmed that cybercriminals have exploited the Electronic Filing PIN application running on, which allows taxpayers to generate a PIN that they can use to file tax returns online.

The government office did not provide further details of the attack or reveal how the hackers bypassed the authentication mechanisms. In March 2015, popular security expert Brian Krebs first reported on the risks associated with accessing the IRS transcription service.

The expert explained that someone had already registered through the IRS website using their Social Security number and an unknown email address. Hackers used taxpayers’ personal information to get a direct deposit.

“If you’re an American and you haven’t created an account yet, you may want to do so before tax fraudsters create an account in your name and steal your personal and tax information.” Krebs wrote on this blog.

Krebs and other security experts emphasized that the authentication mechanism implemented by the IRS is based on knowledge of the user’s personal information (knowledge-based authentication). The problem with this kind of authentication process is that the information used never changes, so an attacker can obtain it in a variety of ways.

SSNs, email addresses, and other PII are very easy to obtain in the criminal ecosystem, with many black markets on the dark web offering them. Anthem and CareFirst data breaches exposed criminal underground PII belonging to millions of customers.

“The IRS continues to conduct additional reviews of those cases where transcript access was made available, including how many of those households filed taxes in 2015. It is possible that some of these transcription approaches were made with an eye toward using them for identity theft for next year’s tax season,” the IRS statement explained.

Experts at security firm Proofpoint are tracking the recent wave of tax-related phishing campaigns and the tactics, techniques and procedures (TTPs) used by threat actors.

Experts have noted a degree of sophistication and ubiquity in the techniques used by fraudsters in the wild.

“Tax-related phishing is something of an annual phenomenon, but Proofpoint researchers are seeing a level of sophistication and ubiquity that sets this year apart,” according to a report released by Proofpoint, which analyzes tax fraud trends.

Cybercriminals are looking to take advantage of taxpayers’ new habits, such as their propensity to use mobile devices. For example, Proofpoint experts discovered a mobile-optimized phishing page that appears to be a legitimate tax. Meanwhile, several ISPs have already shut down some tax-related phishing sites hosted by major providers.

Criminal organizations also conduct tax-related voice phishing campaigns to obtain information for use in fraudulent activities.

Adam Meyer, chief security strategist for SurfWatch, explained that his research has seen a spike in tax attacks this year.

“They filter by name people who tend to have a foreign name to take advantage of their lack of English and also the fact that they probably don’t understand our tax system as well as people who grew up with it,” he said. he says.

A major component of tax fraud is user data, due to the constant demand for this rare commodity, criminal organizations feed major black markets on the dark web with this precious information.

Attackers use this data to abuse the IRS e-filing PIN verification system and file a false return on behalf of the victim and request payment through a fraudulent bank account.

The FBI has confirmed a significant increase in stolen identity recovery fraud (SIRF), which is the fraudulent acquisition and use of personal information (PII) of US persons or visa holders to file tax returns. Fraudsters send fraudulent tax returns to bank accounts or prepaid cards they control.

The victims of this type of crime are specific categories of individuals, such as the homeless and prisoners.

“SIRF is relatively easy to commit and extremely lucrative for criminals. While all U.S. taxpayers are susceptible to SIRF, over the past year, criminal actors have targeted specific segments of the population, including: temporary visa holders, the homeless, prisoners, the deceased, low-income individuals, children, the elderly, and the military. personnel deployed overseas.” according to the FBI.

ProofPoint experts are concerned about the availability of tax phishing kits that have reached a high level of quality.

These kits are available for sale on major black markets and implement some features that allow fraudsters to avoid detection.

“Sophisticated phishing kits tailored for tax season are dramatically empowering threat actors across the spectrum to go after taxpayers. Whether they’re mobile-optimized (in the case of fake tax preparation software) or “hidden in plain sight,” these suites are powerful tools for cybercriminals. We even observed that the suite was using SSL correctly, taking advantage of the secure form delivery capabilities of the particular service provider they were using. Properly signed certificates make it harder for end users, web browsers and security providers to detect phishing sites, giving attackers a chance during tax season – even with commodity kits,” according to ProofPoint.

Figure 3 – Tax-related phishing email (Proofpoint)


 phishing campaigns

This year, security firms and government agencies are seeing alarming new attacks targeting businesses with W-2 phishing campaigns. The W-2 information could be used by fraudsters to file the victim’s taxes and claim refunds on their behalf. Experts have seen a significant increase in W-2 phishing campaigns, as W-2 information could be used by fraudsters to file a victim’s taxes and claim refunds on their behalf.

Recently, popular security expert Brian Krebs revealed that cybercriminals tricked employees of data storage company Seagate Technology into handing out W-2 tax forms on all current and former employees.

The leaked documents include Social Security numbers, salaries and other personal information that criminals could use for illegal activities. This data would be used by hackers to file fake tax refund claims.

According to Seagate, the incident occurred on March 1st, but Brian KrebsOnSecurity was made aware of the case by a former Seagate employee who received a written notice from the company.

“1. “On March 10, Seagate Technology became aware that information from 2015 W-2 tax forms for current and former US-based employees was sent to an unauthorized third party in response to a phishing email scam,” Seagate spokesman Eric DeRitis announced. “The information was sent by an employee who believed the phishing email was a legitimate internal company request.”

“When we learned of this, we immediately notified federal authorities, who are now actively investigating. We deeply regret this error and offer our sincere apologies to all those affected. Seagate is aggressively analyzing where process changes are needed, and we will implement those changes as quickly as possible.”

DeRitis told Krebs that the several thousand former and current employees are less than 10,000 anyway.

Security experts and government agencies are warning of email phishing scams targeting finance and human resources that fake a letter from an organization’s CEO requesting all employee W-2 forms.

On March 1, the Internal Revenue Service issued an alert to payroll and HR professionals about a significant increase in the number of BEC attacks targeting W-2 and other tax data.

BEC attacks rely on social engineering techniques that seek to exploit trusted relationships between employees within a company.

In many cases, attackers spoof the email address of the CEO or CFO, in any case a person with authority who can influence the employee who receives the message to act on the instructions given in the messages. No one wants to say no to the boss.

“The Internal Revenue Service today issued an alert for payroll and human resources professionals to be aware of an emerging phishing email scheme that purports to be from company management and requests personal information about employees,” the IRS alert states.

“The IRS has discovered that this scheme — part of a surge in phishing emails seen this year — has already claimed several victims as payroll and human resources agencies mistakenly emailed payroll information, including W-2 forms that contain Social Security numbers. insurance and other personal data. cybercriminals posing as company executives!

“This is a new twist on the old scheme of using tax season coverage and W-2 filings to try to get people to share personal information. Now criminals are targeting corporate payroll departments,” said IRS Commissioner John Koskinen. “If your CEO seems to be sending you an email with a list of company employees, check it before you respond. Everyone has a responsibility to conscientiously confirm the identity of people requesting personal employee information.”

According to Salted Hash, the list of victims of the illegal practice in the first months of 2016 is very long and includes the following companies:

March 2016:

  • Seagate Technology (March 1)
  • Snapchat (March 1st)
  • Central Concrete Supply Co. Inc. (March 1)
  • Main Line Health (March 1)
  • Turner Construction Company (March 2)
  • Actifio Inc. (March 2)
  • Billy Casper Golf (March 3)
  • Evening Post Industries (March 3)
  • DataXu Inc. (March 3rd)
  • Information Innovators Inc. (March 3rd)
  • York Hospital (March 4)
  • Acronis (March 4)
  • Moneytree (March 4)
  • General Communications Inc. (4th March)
  • Advance Auto Parts (March 7)
  • Applied Systems Inc. (March 7)
  • eClinicalWorks (March 7)
  • LAZ Parking (March 9)
  • Endologix Inc. (March 9)
  • ConvaTec Inc. (March 9)
  • (March 10)
  • Foss Manufacturing Company (March 11)
  • Mitchell International Inc. (March 11)
  • Matrix Service Company (March 11)
  • SevOne (March 14)
  • PerkinElmer, Inc. (15th of March)
  • SalientCRGT (March 15)
  • Netcracker Technology Corporation (March 17)
  • Lanyon Solutions Inc. (18th of March)
  • Dynamic Aviation (March 18)
  • CareCentrix (March 21)
  • Lamps Plus and Pacific Coast Lighting (March 23)
  • Sprouts Farmers Market (March 23)

February 2016:

  • BrightView (February 3)
  • Magnolia Health Corporation (February 3)
  • Polycom (February 5)
  • WorkCare (February 18)
  • Mercy Housing (February 19)
  • Pharm-Olam International (February 23)
  • AmeriPride Services Inc. (25th February)

January 2016:

  • Robert Rauschenberg Foundation (January 25)

Since January, experts have also noted several tax-related data breaches affecting some organizations in late 2015, including TaxAct (January 11), TaxSlayer (January 29), TurboTax (February 10), Lewis, Kisch & Associates, Ltd . (March 7).

“Tax filing season is in full swing in the United States, and fraudsters who specialize in tax refund fraud have a new trick up their sleeve: spoofing emails from a target organization’s CEO, asking HR and accounting departments for employee information W-2.” Brian Krebs wrote in a blog post.

The US Federal Trade Commission (FTC) reported a 47% increase in identity theft complaints in 2015, with tax refund fraud accounting for a significant portion of complaints.

Figure 4 – Identity Theft data (U.S. Federal Trade Commission (FTC))

If you want to avoid being a victim of Tax refund frauds, give a look at the post “Don’t Be A Victim of Tax Refund Fraud in ’16.”

Taxpayers have to be careful; cyber criminals will do everything to steal their money.


Leave a Reply

Your email address will not be published. Required fields are marked *