Each year, cybercriminals gather on the dark web in preparation for one of the great cybercrime events in the world: Tax Day in the United States. As millions of Americans prepare to file their taxes on Wednesday, hackers are taking to the infamous dark web marketplaces in a flurry of activity aimed at the buying and selling of illicitly obtained and highly sensitive personal identifiable information such as social security numbers, W-2s, full addresses (including names), phone numbers and email addresses.
These materials are then used to file fraudulent tax returns, allowing attackers to collect large sums of money and leaving average citizens in the confusing and frightening position of filing their return only to be told that they have already filed. As many have reported, the situation has only been exacerbated by the pandemic and resulting deadline extension.
In 2019, our Tax Day report found a large volume of sensitive records including W-2s, SSNs, and 1040s for sale at relatively low costs, ranging from $1.04 to $52, and now in 2020 we see much of the same activity. The consequences of falling victim to this sort of fraud are near catastrophic, causing financial hardship, legal complications, and of course personal stress. That’s why I wanted to provide further insights into the dark web economy around tax fraud, as well as tips and insights into how filers can stay safe during this time.
When attempting to understand a problem, it’s always helpful to learn more about it. In this case, understanding the dynamics of the buying and selling of personal information for the purposes of tax fraud helps us understand what’s possible, and gives a sense of the data a criminal needs in to carry out a successful theft.
One of the most common trends we see on dark web marketplaces are sellers and buyers dealing in bulk purchases (usually somewhere around 1,000+) of records relating to an individual. These bulk collections, commonly referred to as “fullz,” are bundled at a cost of anywhere from $00.25 to $1,000 per record, with the pricing ultimately depending on the net worth of the individual in question as well as the country in which they reside. Beyond bulk deals, we also see tiered pricing for the sale of records, where purchasers can buy some records for a reduced price rather than getting an entire collection.
It’s worth noting that the varied offerings on these sites offer insights into their user base. The pricing and offerings cater to both ends of the spectrum in terms of hackers: from seasoned veteran hackers with significant resources to newbies just getting their feet wet and looking for a cheap cash-in. In fact, there are some sellers who offer a full-service experience, not only selling records, but also in-depth guides on how to leverage stolen records to file a false return, open up new credit cards, and take out loans all without being discovered. The dark web economy has become very active, and you don’t need to be wealthy to get victimized.
These circumstances are cause for concern. Falling victim to a false filing and subsequent identity theft can be a nightmare scenario, and for someone who wouldn’t even know where to find a dark web marketplace, it’s a daunting task to protect yourself from what goes on there. Fortunately, there are a number of relatively simple best practices you can employ that will significantly reduce your risk of being defrauded. By following these five steps, you can make it exceedingly difficult for hackers to access your sensitive data and file your tax return with confidence.
- Always use a secure browser. Anytime you’re inputting sensitive information such as a social security number and especially when filing, use a secure and up-to-date browser. I use FireFox, but there are a number of other options. Whatever you choose, make sure that it’s updated to the latest version.
- Never use public Wi-Fi. You should always follow this tip, but especially when filing taxes. Hackers will often set up fake networks or snoop on the traffic of legitimate ones to steal sensitive data, so don’t file your taxes while working at the local coffee shop.
- Set up two router networks. Many people don’t realize it, but most Wi-Fi routers can simultaneously host two networks. By keeping sensitive network activity on one network and personal activity on the other, you can prevent hackers from jumping from one to the other if one network gets breached. Filing your taxes on the sensitive network should help keep your transaction more secure.
- Demand cybersecurity precautions from your accountant or tax firm. The next time you visit your accountant or tax firm, ask about their cybersecurity practices. Ask about encryption, but don’t just settle for that. You’re paying a fee to get your taxes filed by a third party, so it’s important to ensure they’re investing in cybersecurity. Ask your accountant or tax firm if they’re practicing microsegmentation. With many tax professionals now working remotely and consulting via phone or video, make sure they have the proper security controls on the device used to process your tax return.
- Be vigilant. The cybercriminals often gather data used to file a false return before Tax Day. Be careful about what sites you’re visiting, which links you’re clicking, and where you’re inputting sensitive data. If something looks suspicious, stay away.
Filing taxes causes great stress for many people, and when compounded with the risk of identity theft or fraud the associated anxiety with filing can seem overwhelming. But by following the five tips and practicing good cyber hygiene, you can significantly reduce the risk of fraud. The five steps represent both simple and effective ways for you to keep the hackers out of your personal data. You can now file with ease, knowing that you’ve filed safely and you won’t wake up to find an unwanted second mortgage on your credit report.
Tom Kellermann, head cybersecurity strategist, VMware Carbon Black