Shopping for W2s, Tax Data on the Dark Web

The 2016 tax season is now in full swing in the United States, which means scammers are once again assembling vast dossiers of personal data and preparing to file fraudulent tax refund requests on behalf of millions of Americans. But for those lazy identity thieves who can’t be bothered to phish or steal the needed data, there is now another option: Buying stolen W-2 tax forms from other crooks who have phished the documents wholesale from corporations.

A cybercriminal shop selling 2016 W-2 tax data.

A cybercriminal shop selling 2016 W-2 tax data.

Pictured in the screenshot above is a cybercriminal shop which sells the usual goods — stolen credit card data, PayPal account logins, and access to hacked computers. But hidden beneath the “other” category of goods for sale by this fraud bazaar is an option I’ve not previously encountered on these ubiquitous, cookie-cutter stores: A menu item advertising “W-2 2016.”

This particular shop — the name of which is being withheld so as not to provide it with free advertising — currently includes raw W-2 tax form data on more than 3,600 Americans, virtually all of whom apparently reside in Florida. The data in each record includes the taxpayer’s employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.

Each W-2 record costs the Bitcoin equivalent of between $4 and $20. W-2 records for employees with higher-than-average wages in the 2016 tax year cost more, ostensibly because thieves stand to reap a higher tax refund from those W-2’s if they successfully trick the Internal Revenue Service and/or the states into approving a fraudulent refund in the victim’s name.

Tax refund fraud affects hundreds of thousands, if not millions, of U.S. citizens annually. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

Tax data can be phished directly from consumers via phony emails spoofing the IRS or employers. But more often, the information is stolen in bulk from employers. In a typical scenario, the thieves target people who work in HR and payroll departments at corporations, and spoof an email from a higher-up in the company asking for all employee W-2 data to be included in a single file and emailed immediately.

Incredibly, this scam tricks countless organizations into giving away all employee W-2 data directly to identity thieves who use it (or, in this case, sell it) for tax refund fraud. Earlier this month, solar panel maker Sunrun disclosed that a spear phishing attack exposed W-2 tax form data on more than 3,400 employees.

In this case, however, it does not appear the cybercrime shop obtained the W-2’s through phishing employers. It cost roughly $25 worth of Bitcoin to reveal the likely common thread among all 3,600+ Floridians being exploited by this shop: A local tax preparation firm that got hacked or phished.

Two tax records that a source purchased from the shop listed Kirai Restaurant Group LLC in Fort Lauderdale, Fla. Kirsta Grauberger, managing partner of that organization’s physical property — the Market 17 & Day Market Kitchen — confirmed that the two W-2 records were tied to two employees.

But Grauberger said her company has employed fewer than 150 employees total since it opened for business six years ago. So which other company or companies account for the remaining 3,450 employees whose W-2 are for sale by this shop?

Grauberger told KrebsOnSecurity that her firm doesn’t even handle employee tax forms, and that her company outsourced that entire process to a local tax preparation firm called The Payroll Professionals.

W-2 information also was on sale for employees of a doctor’s office in Boca Raton, Fla. The medical office told KrebsOnSecurity that it, too, managed its payroll through the same third-party payroll management firm.

A man answering the phone at Payroll Professionals who would only give his name as “Robert” said the company was “aware of the potential hacking” and was in the process of informing its clients.

According to recent stats from the Federal Trade Commission, tax refund fraud was responsible for a nearly 50 percent increase in consumer identity theft complaints in 2015. The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can.

See last year’s Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache. But here are the main takeaways from that story:

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. A freeze can help you stop ID thieves from opening new lines of credit in your name. Instructions for doing that are here. However, note that neither a credit freeze nor credit monitoring will stop ID thieves from filing a fraudulent refund request with the IRS in your name. Again, your best bet to prevent this is to file your taxes before the fraudsters can do it for you.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.

Tags: , , , , , , ,

Don't click on phony QuickBooks email alert

Courtesy of the West Virginia Better Business Bureau

A clever new phishing scam is fooling small businesses. The message looks like an email alert from accounting software QuickBooks, but it’s really a phishing con.

How the scam works

You receive an email with the subject line “QuickBooks Support: Change Request.” The message is “confirming” that you changed your business name with Intuit, QuickBook’s manufacturer. However, you never made such a request. It must be a mistake, but fortunately the email contains a link to cancel.

Pause before you click! Scammers know that you didn’t make this request, and the link to cancel is simply bait. It downloads malware to your device, which scammers use to capture passwords or hunt for sensitive information on your machine. This can open you up to identity theft.

How to spot a phishing scam

>> Be wary of unexpected emails. Never click on links or attachments in emails you were not expecting without checking them out thoroughly first.

>> Check the reply email address. One easy way to spot an email scam is to look at the reply email. The address should be on a company domain, such as (jsmith@company.com).

>> Check the destination of links. Hover over links to see where they lead. Be sure the link points to the correct domain (www.companyname.com) not a variation, such as companyname.othersite.com or almostcompanyname.com. Scammers can get creative, so look closely.

>> Consider how the organization normally contacts you. If an organization normally reaches you by mail, be suspicious if you suddenly start receiving emails or text messages without having opted in to the new communications.

>> Be cautious of generic emails. Scammers try to cast a wide net by including little or no specific information in their fake emails. Be especially wary of messages you have not subscribed to or companies you have never done business with in the past.

>> Don’t believe what you see. Just because an email looks real, doesn’t mean it is. Scammers can fake anything from a company logo to the “Sent” email address.

For more scam information

Visit bbb.org/canton to look up a business, file a complaint, write a customer review, report a scam with Scam Tracker, read tips, follow us on social media and more. The Canton Regional and Greater West Virginia Better Business Bureau offers tips and advice for consumers to avoid fraudulent practices.

Overconfident e-mail recipients helping phishing succeed

New York, Jan 9 (IANS) Most of the people believe they are smarter than those behind email phishing scams which is why so many fall easily into a trap and lose money, an Indian-origin researcher has found.

According to H.R. Rao from University of Texas at San Antonio (UTSA), overconfident e-mail recipients are helping phishing succeed.

“A big advantage for phishers is self efficacy. Many times, people think they know more than they actually do and are smarter than someone trying to pull of a scam via an e-mail,” said Rao who is AT&T Distinguished Chair in Infrastructure Assurance and Security.

Today, phishing e-mails often look like messages from companies ordinary people recognise and trust.

“They’re getting very good at mimicking the logos of popular companies,” Rao noted.

In his study, Rao utilised an experimental survey that had subjects choose between the genuine and the sinister e-mails that he and his colleagues had created for the project.

Afterward, the subjects explained why they made their choices, which allowed Rao to classify which type of overconfidence was playing a role in their decision-making processes.

According to Rao, people will continue to be victimised by phishing scams until the public becomes better educated and, subsequently, less overconfident.

“Thousands of e-mails are sent out every day with the aim of harming someone or gaining access to their financial information. Avoiding that kind of damage is entirely in our own hands,” Rao suggested in a paper that appeared in the Journal of the Association for Information Systems.

–IANS

na/bg