With the tax season approaching, tax refund sales are on the rise again on the dark web. According to various cyber security firms including the IBM X-Force, 20 million samples of tax-themed spams and scams are captured on a daily basis by the company’s system.
In February, DeepDotWeb reported the first case of W-2 form sale on the dark web, discovered by Krbs on Security founder Brian Krebs. While surfing through the dark web, Krebs discovered a massive database of W-2 forms, a type of tax return form sent by an employer to an employee and the Internal Revenue Service at the end of the year.
“This particular shop — the name of which is being withheld so as not to provide it with free advertising — currently includes raw W-2 tax form data on more than 3,600 Americans, virtually all of whom apparently reside in Florida. The data in each record includes the taxpayer’s employer name, employer ID, address, taxpayer address, Social Security number and information about 2016 wages and taxes withheld.”
The W-2 form contains a wide range of information such as name, address, revenue and financial information. Using these sets of data, a cyber criminal group can file for tax returns ahead of the actual recipient. If a cybercriminal successfully receives tax returns before valid recipients have the chance to do so, tax refund can not be availed again in the future.
Moreover, sensitive personal and financial data stored in a W-2 form by itself can be subjected to other crimes and illicit activities such as identity theft. Thus, the demand for bulk sales of W-2 forms is relatively high on the dark web.
Limor Kessem, executive security adviser of IBM Security, stated that tax filing information is the most valuable type of data criminals operating on the underground can acquire. Kessem explained:
“Tax filing information is probably the most premium type of record criminals can buy on the underground. It goes for $40 or $50, and unlike credit cards, never expires. People can try and get loans in someone’s name, make fake IDs in people’s names, get credit.”
Unlike credit card information or alternative types of financial data, tax records of criminals never expire. For that reason, Kessem noted that the demand for W-2 forms on the dark web are increasing at an exponential rate.
Currently, there exists two types of tax refund forms being sold on the dark web; the W-2 and W-9 forms. Criminals on the underground usually seek out for “Fullz” database of tax refunds, which includes both the W-2 and W-9 forms. According to Kessem, Fullz is labeled “superior” on the dark web and it is often sold at a high price of US$40 in bitcoin per record.
IBM X-Force security experts and researchers provided a sample of a Fullz record currently being sold on the dark web.
If employers or companies fail to implement appropriate and efficient security measures, the probability of W-2 and W-9 tax records of employees being leaked or stolen increases significantly. Analysts suggest employees to file tax refunds as early as they can and prevent from being affected by tax refund scams.