IRS makes tax refund scams harder but W-2 phishing attacks continue unabated


Anti-fraud measures by the Internal Revenue Service (IRS) and state agencies over the past two years have made tax refund scams harder for cyber criminals to pull off even as attacks targeting taxpayer information continue unabated.

So far this year, at least 124 organizations have disclosed incidents in which an office worker or payroll processor inadvertently leaked employee W-2 data after being conned by a purporting to be from the CEO or other senior company official.

The biggest so far is an incident at American Senior Communities in which W-2 data belonging to 17,000 employees was compromised after a payroll processor provided the information to an offshore scammer posing as a top company executive. ASC officials discovered the leak only after several employees complained of being unable to file their 2016 taxes because someone else had already filed it.

As with previous years, a majority of victims are school districts, a list shows. But numerous businesses, healthcare organizations and government agencies have been hit as well. Some of the breaches like ones at Amalgamated Sugar and Autoneum North America exposed W-2 data on more than 2,000 employees while others were smaller in scope affecting tens of employees.

Looking beyond W-2 data

Another change that has begun emerging is the quest by hackers for taxpayer data that goes beyond what is contained in W-2 forms.

IRS anti-fraud measures, such as the of a new 16-digit alphanumeric authentication code on W-2 forms, have made it harder for scammers to file fraudulent tax returns using only stolen W-2 data, says Adam Meyer, chief security strategist at SurfWatch Labs.

show that the number of fraudulent tax returns that made it into the agency’s tax processing systems last year was nearly 50 percent lower than in 2015. Between January and September 2016 the agency blocked some 787,000 tax returns that had been fraudulently filed, preventing more than $4 billion in losses in the process.

In the same period a year before, about 1.2 million fraudulently filed returns representing over $7.2 billion in refund claims found their way to IRS processing systems before being blocked. In all, the total dollar amount of suspect refunds through Sept 2016 was $239 million or almost $600 million lower than in 2015.

Phishing and other attacks targeting individual taxpayers also appear to have decreased significantly compared to last year, says Joseph Opacki, vice president of threat research at PhishLabs.

Over the past year, there has been a nearly 66 percent decrease in unique phishing domains targeting IRS and tax preparation firms combined and a 75 percent decrease in domains solely targeting the IRS, Opacki said.

A collaborative effort

The drop-offs appear to be that the IRS has been doing with the help of the tax industry and state tax agencies to curb fraud.

Starting this year for instance, all tax returns transmitted by tax preparation firms to the IRS contain 32 new data elements for authenticating taxpayer identity.

Tax agencies in nearly two-dozen states are working with financial services companies to create a system for flagging suspicious refunds before they get deposited into an account or prepaid card. In most cases, the changes will be all but invisible to taxpayers and presumably those attempting to file returns fraudulently on their behalf.

The 16-digit W-2 verification code—being tested on some 50 million W-2s this year—is another initiative designed to combat fraud, though some, like PhishLabs’ Opacki are not confident about how useful this particular measure will be.

“Phishers can incorporate entry of the verification code into their phishing page, like we see done with security questions, PIN, or any other attempts at unique identifiers,” he says.

This story, “IRS makes tax refund scams harder but W-2 phishing attacks continue unabated” was originally published by