Cybercriminals trading tax pro ID numbers on the dark web
The Internal Revenue Service and its tax industry and state tax authority partners in the Security Summit issued a warning Friday to tax professionals, cautioning them to safeguard their Electronic Filing Identification Numbers and Centralized Authorization File numbers to protect them against cybercriminals.
The IRS noted that cybercriminals are posting stolen EFIN and CAF numbers, along with Preparer Tax Identification Numbers, on the Dark Web as a crime kit for identity thieves who can then use the stolen information to file fraudulent tax returns. EFINs are necessary for tax professionals or their firms to file client returns electronically. PTINs are issued to those who, for a fee, prepare tax returns or claims for refund. CAF numbers are issued when tax practitioners or their firms file a request for third-party access to client files.
Roman Y. Sannikov, director of European research and analysis at the business risk intelligence firm Flashpoint, has seen instances where cybercriminals are discussing on the dark web how they have been accessing information from tax professionals through a technology called Remote Desktop Protocol. “This is a means that the criminals use to gain access to people’s desktops,” he told Accounting Today. “Basically they call them servers because it’s a way for them to send information through them, but it is actually just a computer that has been compromised by a criminal. They will use it as a bot, as a means to do what they need them to do. They can collect information that is stored there. They can also make these computers do things remotely, without the knowledge of the actual owner of the system.”
The technology acts as a botnet under the control of the cybercriminal. “The IRS has been trying to prevent these fake or unauthorized filings by fingerprinting people’s computers or associating specific IPs, or IP ranges, with what you file,” said Sannikov. “For example, if for the last two or three years you file from a certain IP [address] and your information—your expenses, your salary—is fairly consistent, that means it’s most likely that you are the legitimate filer. A lot of the people who are filing these are not actually located in the United States. They need to use computers that are located here in the U.S. for the IRS to authenticate the filer. We’ve been noticing that they are using tax preparers to not only attempt to gather information that they may have on people’s personal information or company information, but they’re also using the IPs that these computers are on. Once you have a trusted company, be it some mom and pop shop, the IRS sees from this IP that this computer has been filing multiple tax returns for the last several years, and it will be much more likely to approve or accept returns that are coming from this computer than it would be from some random computers.”
To help tax professionals, the IRS has produced a new video and posted a web page, How to Maintain, Monitor and Protect Your EFIN, on its website to provide tips to tax practitioners on safeguarding their information. The IRS recommends tax pros update their EFIN application within 30 days of any change, including if there are new employees, phone numbers, addresses or email addresses at their firm. Keeping the application up-to-date means any correspondence from the IRS will go to the right person and address. EFINs can only be received from the IRS and aren’t transferable in case a firm is sold. New office locations may need their own EFIN if tax returns are also filed from there. The IRS suggested tax pros should do a weekly check of their EFIN to determine how many returns were filed under their number. Practitioners should select “EFIN status” from their EFIN application within e-Services. If the number is too large, tax pros should contact the IRS e-Help Desk to report the discrepancy.
Tax professionals who are attorneys, CPAs, enrolled agents or participants in the Annual Filing Season Program and who file 50 or more returns also can check on the number of tax returns filed under their PTIN that are processed by the IRS in the current year. The information is updated weekly and can be located by going to their online PTIN account and selecting “View Returns Filed Per PTIN.” Both the EFIN and PTIN status checks can help quickly identify any unusual activity.
Tax professionals can also help protect their EFINs from theft by avoiding phishing emails, which cybercriminals commonly use to trick practitioners into disclosing sensitive information. Practitioners should review the Don’t Take the Bait campaign to familiarize themselves and their staff members with the various tactics used by cyberthieves.
A CAF number is a unique nine-digit identification number that’s assigned the first time a recognized representative files a power of attorney or third-party authorization with the IRS. Tax practitioners use the CAF number assigned by the IRS on all future authorizations. The IRS suggested tax professionals do an annual review to identify any outstanding third-party authorizations for people who are no longer their clients. Practitioners should also review the instructions for Form 2848, Power of Attorney and Declaration of Representative, or Form 8821, Tax Information Authorization, for more information on withdrawing representation of a client.
Sannikov visited an IRS training facility this week and did a presentation for the employees about how cybercriminals are using such information gleaned from tax professionals. “They pretty much backed up my suspicions,” he said. “They said that they are seeing some situations where the businesses are being compromised. Instead of just going after the individuals, they’re really going after the businesses where they can get more information and where they can then use the business’s infrastructure to help facilitate the fraud.”
The cybercriminals are able to exploit the willingness of tax preparers to help their clients, leveraging resources they can find in the darker reaches of the internet. “Social engineering has been around for quite some time, and they have professional services that write these kinds of spam messages,” said Sannikov. “The underground, the deep web, it really is an ecosystem where you have a lot of specialized individuals. For example, the people that are filing the tax returns are not necessarily the same people that are infecting [computers], or who are writing the spam or phishing messages. They know what they’re doing. They’re pretty sophisticated when it comes to working on people’s emotions, and they see that businesses and business owners are generally trying to be helpful. If you get a message saying, ‘I just got this horrible letter from the IRS. Help, I’m freaking out. My spouse is on the balcony or on the ledge. Can you please look at this and tell me what it says?’”
The recent tax law is also creating more confusion, leading preparers to seek out information from a wider array of sources than the IRS about the implications of the hastily drafted Tax Cuts and Jobs Act.
“Recently, this year we’ve seen some conversations about all the changes that are happening, and I think there’s obviously a lot of confusion,” said Sannikov. “There’s a lot of individuals, including professional accountants and tax preparers, who are really looking for any kind of guidance about this kind of information. This has been a year when people are even more likely to click on things because it happened in such a short period of time that people are really looking for any kind of information on the new tax law. All of these changes are actually facilitating the phishing and the compromises of these computer systems.”
The IRS’s budget cuts mean that it’s harder to reach telephone assistors there who might be able to answer questions or verify logins.
“I can tell you that I myself was having a hard time reaching when I had a question about my login information,” said Sannikov. “I spent over half an hour on the phone, and I was not able to reach anyone. I think that it’s a perfect storm with a lot of changes and a lot of people calling in, and some confusion, and the criminals know what they’re doing. Certainly, anytime there is any kind of confusion, they try to take advantage of it.”
To better protect tax pros and taxpayers, the IRS toll-free telephone assistors are now asking for additional identity-proofing information from tax practitioners. In cases where tax practitioners are reluctant to provide additional identity-proofing information, for example if the client is present in the practitioner’s office at the time they are filing the return, the IRS said the tax practitioner should either ask the client to step outside or put them on the phone to make an oral authorization to the IRS assistor.
Cybercriminals are also filing amended tax returns, taking advantage of the additional personal information that is being collected and assembled on the Dark Web.
“We’ve seen individuals talking about years in the past, so we’ve had people in 2018 looking for or talking about tax returns or tax prep software from 2016,” said Sannikov. “What that leads us to believe is that they’re actually going in and filing amended tax returns, going back a number of years. Now, you have individuals who are opening up bank accounts under the real names, because they have to match up with the tax returns. But they are getting fake documents and opening bank accounts in the names. That’s something we see discussed on these forums, where individuals will say, ‘We have access to certain information. We need people who can open up accounts to receive these refunds or to receive these transfers.’ And we think in some instances they’re also talking about actual physical checks. Individuals will get fake identification in the name of the individual that’s provided by the people who are actually committing the fraud. Then they will go in and open up the accounts. Frequently the way they settle up among themselves is by getting a certain percentage, so each party gets a certain percentage of a successful refund.”
This seems to be an increasing trend, as opposed to past tax seasons when cybercriminals were usually just filing returns for the previous year.
“That’s something we have seen more of this year, looking back at former years,” said Sannikov. “People are talking about things that have passed. Usually they’re talking about ‘Hey, we’re gearing up for the 2017 or 2018 season. We need people who can do this now.’ But what we’ve seen recently is people talking about past years, which is a somewhat different situation.”
They are also turning to services on the dark web that will help them assemble enough information to get past the IRS’s identity verification filters.
“We have a situation where there’s been so much personal information out there because of a lot of different breaches,” said Sannikov. “People have a tendency to think, ‘Well, this happened a certain time ago, and the data is no longer valuable.’ But what we actually have is individuals who will collect this data and will then continue holding it and will then put together these profiles of individuals as more data comes in. We have, for example, services. Sometimes people get access to personally identifiable information and they really don’t know what to do with it. Some of these criminals are looking for credit cards, and they come across this. Sometimes they will just dump it for free on some of these forums because they personally don’t know how to process it. There will be people who collect this information, and they’ll store it. Then as new information comes in from subsequent breaches, they will attempt to match up the various types of information in order to create a profile. They can go in and see everything about an individual.”