Tax-fraud scams don’t end with tax-filing season

Criminals profit year-round from easily mining IRS data; SMBs, others must be prepared

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Many busi­ness­es and con­sumers are on high alert for tax-fraud scams dur­ing the first quar­ter of the year. But the expo­sure doesn’t end with the tax-fil­ing sea­son. Espe­cial­ly since crim­i­nals can mon­e­tize the same data year-round.

W-2 data is the holy grail because you can’t reset it, like a pass­word,” says Michael Mar­riott, a research ana­lyst with Dig­i­tal Shad­ows, a dig­i­tal-risk man­age­ment com­pa­ny. “PII (per­son­al­ly iden­ti­fi­able infor­ma­tion) is always going to be attractive—it doesn’t mat­ter what time of the year it is.”

Relat­ed arti­cle: Why SMBs must address new dig­i­tal risks

Small- and medi­um-size busi­ness­es, in par­tic­u­lar, can’t afford to low­er their guard after April. The biggest mis­nomer is that they’re not an attrac­tive tar­get because of their small­er size, says Antho­ny Grieco, senior direc­tor and trust strat­e­gy offi­cer at Cisco’s Secu­ri­ty and Trust Orga­ni­za­tion.

Antho­ny Grieco, senior direc­tor and trust strat­e­gy offi­cer at Cis­co Secu­ri­ty and Trust Organization

Cre­at­ing resilien­cy around cyber­se­cu­ri­ty is nei­ther a sea­son­al nor a one-time activ­i­ty, he adds.

It’s not just a tax-time dis­cus­sion,” Grieco says. “It needs to hap­pen all the time.”

Tax fraud still a pop­u­lar crime

Fraud sta­tis­tics for the 2017 sea­son will not be avail­able from the IRS for some time. But chat­ter observed by Dig­i­tal Shad­ows on crim­i­nal sites and on the dark web indi­cates that fraud­sters’ inter­est in this type of scam remains high.

Dig­i­tal Shad­ows found that at the end of March, the num­ber of men­tioned key­words asso­ci­at­ed with tax fraud was 40 per­cent high­er than in 2016. This con­tin­ues the pat­tern of last year, when the num­ber of men­tions was high­er than in 2015.

By con­trast, the num­ber of fraud­u­lent returns iden­ti­fied by the IRS between 2013 and 2015 has decreased every year, accord­ing to a Jan­u­ary report by the Trea­sury Inspec­tor Gen­er­al for Tax Administration.

Mar­riott says the fact that the IRS hasn’t detect­ed an increase in fraud­u­lent fil­ings doesn’t nec­es­sar­i­ly mean there’s an actu­al drop in attempt­ed fraud.

Part of it is due to the increased effort being put into pre­vent­ing fraud,” he says.

Those efforts include tax-iden­ti­ty fil­ters IRS now uses to iden­ti­fy poten­tial­ly fraud­u­lent returns. The IRS also locked some 31 mil­lion accounts of deceased tax­pay­ers in 2016.

Vic­tor Searcy, Cyber­Scout vice pres­i­dent of glob­al res­o­lu­tion operations

The per­cent­age of the times that (fraud­sters) are suc­cess­ful has decreased, but it doesn’t mean it’s still not a prof­itable way to com­mit fraud,” says Vic­tor Searcy, vice pres­i­dent of glob­al res­o­lu­tion oper­a­tions at Cyber­Scout. (Full dis­clo­sure: Cyber­Scout spon­sors Third Certainty.)

Scam­mers not wor­ried about get­ting caught

The anonymi­ty of the crime makes it espe­cial­ly com­pelling. When the IRS iden­ti­fies poten­tial fraud, it sim­ply denies the refund claim—it doesn’t go search­ing for the culprit.

There’s very lit­tle fear of being caught, and if they get caught, the chances of being pros­e­cut­ed are real­ly slim, and the penal­ties not as severe,” Searcy says.

It’s also an easy crime. Cyber thieves go so far as sell­ing detailed how-to guides, Mar­riott says.

Crim­i­nals find dif­fer­ent ways to make mon­ey that can be repeat­able,” he says. “For some­thing like $30, you can buy a full tuto­r­i­al on the steps you need to make mon­ey from tax fraud.”

Phish­ing remained on the IRS “dirty dozen” list of tax scams this year, fol­low­ing a 400 per­cent surge dur­ing the 2016 sea­son. Those are schemes like the pop­u­lar W-2 scam, a vari­a­tion on the busi­ness email com­pro­mise. In Feb­ru­ary, the IRS warned it was see­ing new and evolv­ing schemes.

Cyber crim­i­nals expand their repertoire

The dou­bling down by the IRS on fraud and iden­ti­ty theft is good news for con­sumers. On the oth­er hand, don’t expect cyber crim­i­nals to stop mon­e­tiz­ing stolen information—or to stop phish­ing and oth­er attacks come May.

For instance, the per­cent­age of spam with mali­cious attach­ments is on the rise, accord­ing to Cisco’s 2017 Annu­al Cyber­se­cu­ri­ty Report. Cis­co found that 65 per­cent of total email vol­ume in 2016 was spam, and 8–10 per­cent of the spam was mali­cious. At the same time, cyber crim­i­nals were exper­i­ment­ing with a wide range of tactics.

Grieco says that orga­ni­za­tions need a cul­ture shift toward a holis­tic approach to cyber­se­cu­ri­ty, which includes edu­cat­ing employ­ees. Small- and medi­um-size busi­ness­es have an advan­tage because few­er peo­ple need to be trained—for exam­ple, one accoun­tant instead of a depart­ment of 100 workers.

The scope of who you need to edu­cate and about what risks becomes much more nar­row, and there­fore the impact of edu­ca­tion can be much larg­er,” he says.

Being pre­pared for a cyber­se­cu­ri­ty inci­dent is not unlike prepar­ing for a pow­er out­age or a nat­ur­al dis­as­ter. But SMB lead­ers need to have at least a basic under­stand­ing of the threats for their spe­cif­ic industry.

It’s very sim­i­lar to resilience activ­i­ties you’d take in the phys­i­cal world,” Grieco says. “Under­stand­ing where your crit­i­cal sys­tems are, how are you pro­tect­ing them, how are you mon­i­tor­ing them, do you know what to do if some­thing goes wrong—all of those basic ideas apply.”

More sto­ries relat­ed to tax scams and cyber threats:
Be on the look­out for these three tax scams
More SMBs let their guard down on cybersecurity
SMBs just as vul­ner­a­ble to cyber attacks as big organizations


Posted in Cybersecurity, Featured Story