Excuse Me, Could I Borrow Your W-2?

Next: This Week: Rising Fraud, and Cute But Dangerous...
Previous: DiamondFox: New Joint Research from Check Point &...
People who like tax season: accountants, phishers, and this guy.
March 15, 2017

Rachel is a member of the Customer Success Team at Terbium Labs. She splits her time between baking brownies, refilling her candy jar, and figuring out how laissez-faire economics applies to the dark web.

Tax season is here, and with it a new wave of personally identifiable information (PII) leaks. Due to the high volume of information being passed around, it is easy for some of it to end up in the wrong hands. W-2 forms often go from payroll companies, to employers, to employees, to accountants, and to the government. That’s a lot of opportunities for something to get lost.

As we mentioned in “Tax-and Peak PII-Season is Here,” tax season puts a multitude of people at risk for identity theft and tax fraud. Tax documents are abundant sources of PII: they contain names, addresses, wage and employer information, and most notably, Social Security numbers. In early February 2016, a breach of the Internal Revenue Service’s (IRS) systems led to the theft of around 464,000 unique Social Security numbers (SSN). This year, tax season is marred less by elaborate attempts to get citizens’ SSNs from the IRS and more marred by human error.

It Wasn’t Me

Not all leaks result from malicious intent; some occur due to human error rather than targeted attacks by fraudsters. Recently, for example, a corporate payroll service shipped dozens of salary records and documents to the wrong address. The company accidentally sent 60 federal W-2 forms and other tax records to a woman whose daughter previously worked for the company… twice. Thankfully, the woman never opened the packages and shipped them back to the payroll service.

In another tax blunder, a Texas school employee fell for a phishing scam where the fraudster, impersonating the superintendent, requested W-2 forms for the Texas school’s employees. The employee trusted the email and forwarded the staff’s forms to the phisher. To make up for the error, the school will offer its employees a year of identity theft monitoring. While this type of monitoring is helpful, there is still a chance the information will be leaked or sold on various dark web markets - something these monitoring services may not detect until fraudulent activity occurs.

Not Just Insiders

For criminals too lazy to do the phishing themselves, dark web shops sell “fullz,” complete personal information on an individual including occupation and SSNs. These listings often come in packages containing multiple identities, and sell for around $15 to $30 per record. Some vendors even offer bulk discounts.

taxseason.png

Tax season still has a month to go, so we are likely to see a lot more tax related leaks and phishing attempts. Ensuring tax documents follow the proper chain of custody through the tax submission process helps protect employee PII against phishing attacks and malicious use. Information in these tax forms could be used in fraudulent documents or exploited in financial situations requiring Social Security Numbers and employment information. Criminals can file fraudulent tax returns and refund requests, scamming the Federal government out of a lot of money, into the billions of dollars per year. So much for that tax return.

RELATED ARTICLES
analysis April 17, 2019
Terbium Labs Investigates Dark Web Fraud Guides for an Inside Look on Cyber Crime

With our latest research, Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data, Terbium Labs investigates dark web fraud guides to create a detailed, first-hand account of the illicit...

analysis March 29, 2019
Category Is: Another Data Aggregator Breach

The size of data breaches is only increasing – to the point that data exposure at another lead-gen firm in recent months barely registered in the news because it only exposed 44.3 million individuals....