THREAT INTELLIGENCE: TAX RELATED CYBER SCAMS

THREAT INTELLIGENCE: TAX RELATED CYBER SCAMS

The 2018 tax season is officially underway and so too are malicious hacking campaigns aimed at stealing your business’s sensitive tax-related data.

R9B’s Vice President of Threat Intelligence, Keith Smith, sat down to highlight the threat of tax related scams using compromised business email accounts. He also offers some proactive steps your business can take to prevent security breaches and protect sensitive information during this year’s tax season.

  • Risk to Your Organization: Security breaches that expose both your business’s and employees’ sensitive financial records
  • Targeted Industry: All
  • Targeted Individuals: Executive leaders, human resources (HR) staff, and employees who handle payroll and financial information
  • Adversary: Cybercriminals
  • Attack Motive: Financial gain through identity theft, fraudulent wire transfers, or the sale of personally identifiable information
  • Opportunity for Compromise: Business email channels are leveraged by attackers through hijacked or bogus accounts and used to trick unwitting employees into surrendering data
  • Potential Result: Reputation damage, financial losses through fines and/or lawsuits, and loss of employee and customer trust

WHAT IS BUSINESS EMAIL COMPROMISE?

PHISHING EXPLOITS POSE A SERIOUS THREAT TO ALL BUSINESSES FOR TWO REASONS: EVERYONE USES EMAIL AND PHISHING EXPLOITS WORK.

Business Email Compromise (BEC) is a technique in which cybercriminals use bogus employee email messages to collect a business’s sensitive employee or financial information. BEC is most often used in conjunction with spearphishing (phishing emails that are well crafted and customized to deceive targeted readers) of executive leaders, financial and payroll staff, or HR employees.“

Malicious hackers use social engineering exploits to take advantage of human interactions, weaknesses, and nature to trick people into performing a task. Time and again this has proven to be an effective tactic, especially when combined with phishing,” said Smith. “Here at R9B, our red team operators have over a 90 percent success rate using social engineering exploits in penetration tests.”

BEC attacks most often involve cybercriminals impersonating legitimate executives within the targeted organization to trick unwitting employees into trusting the email sender and fulfilling the cybercriminal’s request.

EXAMPLES OF PHISHING EMAIL MESSAGE SUBJECTS AND CONTENT

  • “View changes to your pay stub”
  • “Review your W-2 forms…”
  • “Emergency audit this week! Please send all company W-2 forms to [cybercriminal’s email address]”
  • “You are to update your IRS e-file immediately…”
  • “Happy new year to you and yours. I want you to help us file our tax return this year as our previous CPA/account passed away in October. How much will this cost us? …hope to hear from you soon.”
  • “I got your details from the directory. I would like you to help me process my tax [sic]. Please get back to me asap so I can forward my details.”

All industries are at risk of BEC and its popularity among cybercriminals has grown in recent years

ACCORDING TO A MAY 2017 FBI PUBLIC SERVICE ANNOUNCEMENT, THERE WAS A 2,370% INCREASE IN ACTUAL AND ATTEMPTED LOSSES RELATED TO BUSINESS EMAIL COMPROMISE SCAMS IN THE UNITED STATES AND 131 COUNTRIES1.

BEC campaigns are more advanced than general phishing, requiring elements of both social engineering and footprinting (open source research of the targeted individual and organization) to discover key names and positions of employees with authority to either financial or tax information. Cybercriminals then use this information to craft personalized messages for targeted individuals. According to Smith, “It’s not uncommon to see highly crafted emails that reference key proprietary or sensitive data points such as project names, customers, or known company procedures. All of this is done to convince the target that the message is legitimate.”

“Messages that leverage fake or compromised executive accounts are often written in a style that creates a sense of urgency and stress,” Smith said. “For example, cybercriminals send messages to targeted employees late in the work day, after hours, or request an immediate response or action. This stated urgency, combined with legitimate internal data points, and the belief that the request is coming from the CEO or another executive, creates an opportunity for compromise and increases the likelihood that the target will execute the cybercriminal’s request.”

Most attacks using business email compromise will attempt to lure targets into completing one of four actions:

  1. Send confidential files directly to the cybercriminal’s email account
  2. Open a malicious document (.pdf or .doc) that includes malware capable of allowing the cybercriminal to access the target’s network
  3. Click on a URL embedded in the email that redirects the target to a malicious website
  4. Complete a fraudulent wire transfer to the cybercriminal’s account

 

BEC AND TAX-RELATED SCAMS

The information found in tax forms such as the standard W-2 is highly valuable to cybercriminals who are motivated by the prospect of financial gain. For example, W-2 tax forms include sensitive employee information such as name, home address, Social Security number, and salary. “Cybercriminals will use this information to further profile victims and enhance the content of future spearphishing emails or to attempt identity theft. We have also seen evidence of the sale of this data on dark web market places and forums,” said Smith. “The potential for a greater yield of stolen information also increases when an organization is targeted for compromise. Successfully phishing one individual will provide one W-2; a single successful phish of an organization may lead to dozens or even hundreds of W-2s.

HERE AT R9B, OUR RED TEAM OPERATORS HAVE OVER A 90 PERCENT SUCCESS RATE WHEN USING SOCIAL ENGINEERING EXPLOITS IN PENETRATION TESTS.” RECALLED SMITH.

WHAT INFORMATION IS TARGETED IN TAX-RELATED CYBERCRIME?

  • Taxpayers’ financial information
  • Personally Identifiable Information (PII)
  • Businesses’ financial and wire transfer information
  • Tax refunds
  • Tax records

WHAT ARE THE CONSEQUENCES OF BEC?

According to Smith, the consequences of falling victim to BEC vary greatly by attack and industry, but are always serious. “In general, businesses can expect some financial loss, either through fines, lawsuits, fraudulent wire transfers, or post- attack investigation. Security breaches also have the ability to damage the trust and reputation that businesses work so hard to establish. Employees and customers trust and expect a high level of security when it comes to safeguarding their personal data. Forfeiting data, knowingly or not, erodes that trust and will require the organization to invest time and capital into rebuilding it,” said Smith.

WHAT CAN BUSINESSES DO TO PROTECT AGAINST TAX-RELATED SCAMS

“Unfortunately, phishing attacks are a reality of doing business today, therefore all organizations must accept some level of risk. However, an organization’s chances of preventing a serious breach of information are greatly improved by encouraging employees to take proactive and defensive steps when dealing with email,” said Smith.

NINE PROACTIVE STEPS TO KEEPING INFORMATION SAFE

  1. Companies should conduct awareness training for all employees, especially for members of the senior executive team, HR professionals, and any financial specialists (e.g. CPAs).
  2. Urge discretion when posting professional titles on LinkedIn. These profiles can be leveraged by cybercriminals in social engineering exploits. A cursory search of LinkedIn found almost 6,841 accounts that associated themselves with “Payroll Tax Manager.”
  3. Expect to see phishing emails with themes that claim to inform readers about new changes to the US tax code.
  4. Create email alerts that notify employees when messages derive from senders outside of the organization’s network.
  5. Enforce Multi-Factor Authentication (MFA), especially for services that specialize in managing financial and personnel records.
  6.  Know the vendors your organization depends on and heed legitimate vendor security alerts and recommendations. If you receive a request from your vendor, don’t click on any links. Instead navigate to the website independently or even call customer service to confirm any solicitation for information.
  7.  Establish corporate cybersecurity policy and procedures for sharing tax related information, both internally and externally; create a “norm” that employees know and follow.
  8. Read all emails carefully and note consistent errors in spelling or speech pattern. These may be signs of machine translations, which are commonly used by non-native language speaking cybercriminals.
  9. Be vigilant and skeptical when an action is requested by email such as resetting a password, viewing a file, or sharing information. Never open an attachment or link from an unknown or suspicious source. It may infect your computer with malware or attempt to steal your information.

 

WHAT DO YOU DO IF YOU SUSPECT YOU HAVE BEEN TARGETED?

The IRS has acknowledged the problem of tax-related cybercrime and is taking steps to prevent attacks. The IRS encourages you to report any suspected tax-related phishing to phishing@irs.gov2.

 

REFERENCES

  1. https://www.ic3.gov/media/2017/170504.aspx
  2. https://www.forbes.com/sites/kellyphillipserb/2017/03/17/dont-fall-for-l…