For years the financial services sector has been a target for malicious attacks and breaches. You only have to look at some of the high-profile incidents over that time to see why the financial sector is so concerned about rising threats. For example nearly $100 million was stolen from Bangladesh’s central bank in February 2016 and thieves found their way into what was thought to be the most secure financial messaging system in the world, SWIFT. Shortly after these incidents, Russian central bank officials disclosed that hackers stole more than $31 million from the country’s central bank and commercial banks. In March 2018, cybersecurity researchers announced evidence that the same North Korean hacking group linked to the SWIFT financial network attacks had been targeting several major Turkish banks and government finance agencies.
As a result of these attacks, and many others, the online sales of identity and banking information have been easily accessible to malicious actors for a long time. No surprises there, but what we have started to see is the recent maturation in the dark web economy focused on tax identity theft.
Growing concern around tax theft
Interested to understand more about this, we recently undertook research into various marketplaces on the dark web and amazingly we found various forms and how-to guides for illicitly cashing out tax returns readily available. Worryingly, these forms were available on the dark web at relatively low cost, ranging from less than £1 up to £50. In fact names, Social Security Numbers (SSNs) and birthdates can be obtained for less than 20 pence with this going up to £50.
Again, for a more comprehensive investment, a relatively inexperienced hacker can purchase authenticated access to a bank account, file a false tax return, claim the IRS refund and cash out via a cryptocurrency exchange for a 100+ per cent return on investment.
Identity fraud on demand
Perhaps most notable is that an identity theft cycle can now be completed by an attacker without ever stepping foot outside or showing their face to another human via “identity fraud on demand,” a process by which a hacker can provide stolen/purchased identity information and receive an original image of a person holding a forged passport with matching picture/information and scans of the forged identity documents.
Our research also found that various tax identity theft products and services on the dark web are becoming cheaper; sellers are working hard to differentiate themselves and their products; and new products are being developed to meet identity thieves’ demands, forming a living, breathing economy built to empower even entry-level hackers.
This evolution in tax fraud and tax identity theft is congruent to various dark web economies, including ransomware, as we outlined in a Carbon Black report which we released in 2017, further suggesting that attackers are constantly evolving their behaviours to “follow the money.” This report highlights some of the offerings available in the robust dark web economy.
From an individual’s perspective, curbing tax fraud and identity theft stemming from the dark web can be a tough, if not impossible, task. In many respects, the onus of responsibility for keeping data safe is on the companies and organisations housing the information rather than the individual themselves.
Six steps to prevent tax identity theft
That said, individuals can take a few critical steps to strengthen their cyber hygiene and decrease their chances of becoming a victim. Here are my six top tips to avoid tax identity theft:
- Make sure to use a bank that offers multi-factor authentication for logins. It’s also a good practice to use Mozilla as your browser for any sensitive online activity.
- Use a password manager (locked by a master key that only you know) and do not save passwords in your browser.
- File your taxes as soon as possible. In the event someone does get a hold of your information and attempts to file a return in your name, the fraudulent return will be rejected if your return has already been submitted. (Another motivation to get those taxes in early!)
- Ignore the inclination to give your information away. If a website doesn’t have a legitimate need for personal information, don’t provide it. This can help limit future exposure.
- Never transfer money (via wire, electronic check, credit card, etc.) based on an email request you’re not expecting without directly authenticating the requestor via telephone or in person first.
- Putting a lock on (and/ or setting notifications for) your credit will also put an additional measure in place to monitor nefarious activity.
Of course, a hacker might find their way through, but the above tips will certainly help you to avoid a nasty incident happening. Tax fraud affects thousands of people every year. It is important to note that the theft of a tax return can empower a criminal to steal someone’s financial future, not just this year’s tax refund. Tax information theft could easily extend to credit cards and home equity loan fraud, which could haunt a victim for decades. So make sure that you are doing all that you can to protect your tax identity.
Rick McElroy, Head of Security Strategy, Carbon Black
Image source: Shutterstock/MaximP