Tax season is hog heaven for cybercriminals. The thought of all that personal data just sitting around, unmolested in tax documents, inspires a torrent of creepy scammer creativity. Then the warnings tumble in: We're warned about attempts to steal our data in emails from the IRS; our companies assign us courses on how to identify phishing emails; we read about the latest victims in the news.What we don't see is how our tax data is bought and sold, and what scammers charge other scammers for our data. The Krebs on Security blog provided a glimpse earlier this year, when founder Brian Krebs came across something he hadn't seen before on the Dark Web: Bulk sales of W-2 forms. A scammer had phished a tax preparation firm, Mr. Krebs discovered, and was offering for sale 3,600 Florida W-2s in this cyber netherworld which, while connected to the everyday web, requires special software or authorization to access.
Another window into that world comes in a new report from IBM's commercial security research team, "Cybercrime Riding Tax Season Tides." The company has skin in the game — it sells services to protect companies from cybercrime — which means it's also in a good position to see what's going on in scamland.
"Tax filing information is probably the most premium type of record criminals can buy."
To get a sense of the rise in potentially malicious tax spam emails, IBM's security research group — the IBM X-Force — checked its spam traps for specific, common tax-themed spam. IBM's traps capture 20 million new spam samples per day, according to the company. The group found an increase of more than 6,000% in the number of common tax scam emails trapped by its system from December 2016 to February 2017. A more general search on "tax" spam found an increase of 1,400% over that period. It's like bears heading for the river as the salmon move upstream.
The fruits of all the successful phishing attempts wind up on the Dark Web. These offers can look run of the mill, complete with star ratings for sellers. Here is a screenshot showing sellers and their illegal wares, such as W-2s, taken from IBM's report:
One vendor noted on his sale of W-2s that it "comes with 2015 data to fully complete the return." The IRS requires the prior year's adjusted gross income (AGI) on a return, so that costs a would-be scammer extra. One vendor IBM found was selling W-2 and 1040 returns as a package for $30 worth of bitcoin; if someone wanted AGI information, that was $20 more. Another cybercriminal had a bulk offer that promised data that was "fresh" for the 2016 season, and included W-2 data, date of birth and the AGI figure. That was $50 in bitcoin per record.
An individual's tax data is far more valuable than their credit card data. Stolen credit card data might sell for $1 or be given away to establish credibility on the Dark Web, said Limor Kessem, executive security adviser of IBM Security. Credit card accounts can be closed or frozen, and thus have a short criminal-shelf life.
"Tax filing information is probably the most premium type of record criminals can buy on the underground," said Ms. Kessem, who has been tracking this world for eight years. "It goes for $40 or $50, and unlike credit cards, never expires. People can try and get loans in someone's name, make fake IDs in people's names, get credit." And of course, the top target is filing a tax return in someone's name and getting the refund. The Dark Web has its own selling language. "Fullz" means complete information on an individual, including, according to the IBM report, "payment card information, address and contact details and other additional pieces of personally identifiable information, such as Social Security number, a driver's license number and any other information sold along with the set." A Fullz file of data is labeled "superior" if it also contains W-2 and W-9 info. That sells for $40 in bitcoin per record. See the lingo in action in the screen shot below. (IBM blacked out identifying information.)
Would-be fraudsters browsing these sites are offered tutorials advertised with smiley little tax returns with arms and legs. These crime lessons are a longtime staple on the Dark Web, used as a way to build credibility with the community and get invited into other forums, said Ms. Kessem.
Such honor among thieves would be almost heartening if the damage wreaked on everyday taxpayers wasn't so heinous. With phishing attacks on the rise, a consumer's best defense is a good offense. One of the simplest, when it comes to tax refund fraud: File your taxes early to beat would-be scammers to the punch.
Phishing emails are designed to tempt or panic people. Reminding yourself that the IRS will not send e-mails about your income tax return gives you the upper hand. No matter how enticing — or scary — the supposed offer or threat is in the supposed IRS letter, which will try to entice you into clicking on a link, or opening a file, resist, and forward the fishing attempt to the IRS at email@example.com.
Consider it a small step in an ongoing war.