Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label IRS. Show all posts

IRS Warns Car Dealers of New Phishing and Smishing Threats


 

The Internal Revenue Service (IRS) has issued an urgent warning to car dealers and sellers across the United States, highlighting a surge in sophisticated phishing and smishing scams targeting the automotive industry. These cyber threats pose a significant risk to the daily operations of businesses, potentially leading to severe disruptions.

The warning follows a recent ransomware attack on CDK Global, a software provider for car dealerships. This cyberattack affected approximately 15,000 dealerships nationwide, crippling their scheduling, sales, and order systems. Some dealers were forced to revert to manual processes to continue their operations. In response to the attack, CDK Global reportedly paid a $25 million ransom to regain control of their systems.

According to the IRS, scammers are increasingly impersonating the agency to extract sensitive financial and personal information. These fraudulent communications often come in the form of emails or text messages, urging recipients to click on suspicious links, download malicious files, or provide confidential details. The IRS emphasised that such tactics are a "favourite" among cybercriminals.


Recommendations for Protection

To safeguard against these scams, the IRS provided several recommendations for both businesses and individuals:

1. Stay Alert to Fake Communications: Be cautious of unsolicited messages that appear to come from legitimate organisations, friends, or family. These messages may impersonate banks or other financial entities to deceive recipients into clicking harmful links.

2. Avoid Clicking Unsolicited Links: Never click on links in unsolicited emails or text messages, as they may lead to identity theft or malware installation.

3. Verify the Sender: If you receive a suspicious message, verify its authenticity by contacting the sender through a different communication method. Do not use contact information provided in the unsolicited message.

4. Do Not Open Attachments: Avoid opening attachments in unsolicited emails, as they can contain malicious code that can infect your computer or mobile device.

5. Delete Suspicious Emails: To prevent potential harm, delete any unsolicited emails immediately.


Vigilance is Key

The IRS stressed the importance of vigilance in the face of these evolving cyber threats. By following the recommended precautions, car dealers and sellers can reduce their risk of falling victim to phishing and smishing scams. As cybercriminals continue to refine their tactics, staying informed and cautious remains crucial for protecting sensitive information and maintaining business continuity.


Teachers' Taxes Fraudulently Filed in Glendale Ransomware Attack

 

The Glendale Unified School District recently found itself at the center of a distressing situation when teachers, nurses, counsellors, and other faculty members received an unexpected notification from the IRS: their taxes had already been filed. What unfolded was a troubling revelation — the district had fallen victim to a ransomware attack, compromising sensitive data and leaving employees grappling with the aftermath. 

The attack, which occurred in December, targeted the school district's system, locking employees out and demanding a ransom for the safe return of their data. The stolen information included employee and student details such as names, addresses, dates of birth, Social Security numbers, and financial account information. As if that wasn't alarming enough, the breach's full extent became apparent when employees attempted to file their taxes, only to discover that fraudulent filings had already been made using their information. 

In the wake of the breach, at least 231 union members found themselves impacted, facing the arduous task of verifying their identities with the IRS to rectify the situation. The district took swift action, partnering with law enforcement agencies and cybersecurity experts to investigate the incident's scope and potential risks to employees and students. Despite the district's efforts to address the breach, some employees expressed dissatisfaction with the handling of the situation. 

Criticism centered around the perceived lack of transparency and timely communication regarding the breach. While the district maintained that it promptly informed the community about the incident and provided regular updates, employees felt otherwise, describing the information release as a "slow drip of updates." 

Amidst the fallout, concerns lingered about the compromised data's implications and the district's ability to safeguard against future attacks. School districts, while not prime targets for ransomware attacks, are vulnerable due to their extensive networks and numerous vulnerabilities. The complexity of securing these systems underscores the challenges faced by educational institutions in safeguarding sensitive information. 

Looking ahead, affected employees face an uphill battle in reclaiming their financial security, with the process of rectifying fraudulent filings expected to be prolonged and cumbersome. Despite assurances from the district and ongoing efforts to mitigate the breach's impact, the incident serves as a stark reminder of the ever-present threat posed by cybercriminals and the critical need for robust cybersecurity measures in educational institutions.

Kraken to Provide 42,000 Consumers' Data with IRS Following Court Order

 

Kraken, a cryptocurrency exchange, has announced that it will comply with a June court order by providing the Internal Revenue Service (IRS) with data on tens of thousands of its users. 

In particular, the company will divulge data on cryptocurrency transactions that Kraken customers made between 2016 and 2020 that valued more than $20,000. Users with addresses in the United States who made these sorts of transactions will have their account history, name, date of birth, Tax ID, address, and contact details forwarded to the IRS. 

The company stated last week that emails were sent to every Kraken customer who was impacted by the announcement. A representative for Kraken also verified the development with Decrypt. The firm intends to share the user data in early November. 

After two years of litigation over data sharing between the federal government and the privacy-minded cryptocurrency company Kraken, a federal judge in June ordered Kraken to provide such information to the IRS. 42,017 Kraken accounts are expected to be impacted by the decision, according to court documents in that case. 

Even though Kraken has adamantly refused to give the IRS the information it is now obligated to provide, the company is portraying the situation as a win for privacy advocates and its legal battle with the IRS as having ultimately stopped a larger breach of users' personal data. 

“We objected to the IRS’s demands and fought the summons, because it sought intrusive and unnecessary information about U.S. clients, including IP addresses, employment information, sources of wealth, net worth, and banking details,” a Kraken spokesperson said in a statement shared with a local media outlet. “We convinced the court to reject these demands. Kraken will always stand up for the privacy of its clients as it did here.”

The exchange is not the first cryptocurrency firm to be compelled to abide by the IRS's requirements. In 2018, a federal judge ordered the American cryptocurrency exchange Coinbase to hand over certain user data to the tax collection agency. 

Another federal court in 2020 granted the IRS legal authority to search the records of cryptocurrency payments company Circle for data related to similar transactions of $20,000 or more made between 2016 and 2020. In addition, the agency secured a court order last year to acquire the same information from crypto prime brokerage SFOX.

IRS Sends Cyber Attachés Abroad to Combat Cybercrime

 

The Criminal Investigation (CI) of the Internal Revenue Service (IRS) is taking a courageous initiative in the fight against cybercrime by sending cyber attachés across four continents. Earlier on Thursday, the regulator provided this update.

The most recent plan focuses on preventing tax and financial crimes involving cryptocurrencies, decentralised finance, peer-to-peer payments, and mixing services; the CI hopes to improve global cooperation in the struggle against these illegal practises. 

The effort highlights the IRS's dedication to always being one step ahead of cybercriminals in the rapidly changing digital environment. 

Beginning of the global cyber showdown

A pilot programme run by the IRS CI will begin in June and place cyber attachés in key sites throughout the world. Sydney, Singapore, Bogota, and Frankfurt were selected as the cities for deployment, representing Australia, Asia, South America, and Europe, respectively. 

These attachés will use their specialised expertise in close cooperation with regional law enforcement organisations to combat tax evasion, financial fraud, and other illegal actions made possible by digital currency. 

The IRS CI seeks to foster a seamless interchange of knowledge, information, and resources with foreign counterparts by stationing cyber attachés abroad. This proactive strategy is aware that a unified worldwide front is necessary to effectively battle cybercrime.

Jim Lee, Chief of the CI, emphasises the significance of providing international partners with the same level of expertise and resources as those available within the United States. To address the global scope of cyber threats, this programme will need to forge powerful multinational coalitions. 

The use of cyber attachés expands on the CI's prior international cooperation initiatives. A permanent cyber attaché from the CI has been based at the Europol headquarters in The Hague, Netherlands, since 2020. 

To promote collaboration and coordination with European law enforcement authorities, this role was created. With the expansion of the attaché programme, the CI is now able to reach more people and have a greater influence in areas that are known to be hubs for cybercriminal activity. 

An emphasis on crypto-inspired crimes 

Cybercriminals are using cryptocurrency for different illegal activities as the world becomes more digitised. The IRS's decision to give tax and financial crimes involving cryptocurrencies top priority shows how determined it is to confront these new dangers head-on. 

The CI attempts to safeguard people, businesses, and the economy by focusing on criminal activity such as tax fraud, drug trafficking, money laundering, public corruption, and healthcare fraud.

U.S. authorities are increasingly going after cybercriminals, especially those who use cryptocurrencies or decentralised finance (DeFi) to do their crimes. In a recent development, the IRS seized two domains connected to the notorious mixing service, ChipMixer, which is notorious for its involvement in hacking schemes, fraud, cryptocurrency heists, and ransomware operations. 

Such measures strongly suggest that law enforcement organisations are aggressively going after persons who use digital currencies for illegal purposes. Nevertheless, despite the ongoing cybercrimes in the sector, the cryptocurrency market has remained calm. With a valuation firmly above $1 trillion, the global cryptocurrency market has lost 1.1% during the last 24 hours.

The IRS is Deploying Four Investigators Across the Globe to Combat Cybercrime

 


Starting this summer, the Internal Revenue Service (IRS) intends to dispatch four cybercrime investigators to Australia, Singapore, Colombia, and Germany. These four new jobs indicate a major boost in the IRS's global efforts to combat cybercrime, such as cryptocurrency, decentralized finance, and bitcoin laundering services. 

In recent years, IRS-CI agents have played a key role in investigating crimes on the dark web as part of landmark international operations such as the shutdown of the drug and hacking services marketplace AlphaBay and the arrest of its administrator, the bust of the internet's largest child abuse website, and the takedown of a marketplace for stolen Social Security numbers, among others.

Until now, the IRS has only one cyber investigator abroad, in The Hague, Netherlands, who has been mostly working with Europol since 2021. Guy Ficco, the IRS's executive director for worldwide operations policy and IRS-CI support, initially mentioned the expansion during a panel discussion at the Chainalysis Links conference on April 4.

“Starting really now we’re going to be piloting for additional posts, putting dedicated cyber attaches in Bogota, Colombia, in Frankfurt, Germany, in Singapore, and in Sydney, Australia,” Ficco said. “I think the benefits have been — at least with the Hague and with Europol posts — have been very tangible.”

In an email, IRS spokesperson Carissa Cutrell explained that the four new positions are part of a pilot program that will run for 120 days, from June to September 2023, and are designed "to help combat the use of cryptocurrency, decentralized finance, and mixing services in international financial and tax crimes." Following the 120-day pilot program, the IRS will decide whether to keep the agents in the new countries.

“Success will hinge on the attachés’ ability to work cooperatively and train our foreign law enforcement counterparts, and build leads for criminal investigations,” Cutrell said.

According to Chris Janczewski, a special agent in the IRS-CI Cyber Crimes Unit, expanding the IRS's presence abroad is crucial to expediting foreign investigations.

“The U.S.-based case agent can’t always travel to coordinate with foreign partners on investigative needs and the cyber attaché has to act as the proxy for the case agent,” Janczewski told TechCrunch in an email. “Their expertise on knowing what questions to ask, what evidence can reasonably be obtained, and the impact of any cultural or legal implications.”

Janczewski handled the investigation of the largest dark web child abuse site, Welcome to Video. He is presently the worldwide investigations director of TRM Labs, a blockchain intelligence firm. He explained that depending on the countries with whom the IRS is dealing, there may be different legal methods to gather evidence, "but often informal information in real-time is needed in fast-moving investigations."

“In these situations, it comes down to professional relationships, knowing who to call and what to say,” he said.

Aside from the five cyber investigators, the IRS maintains 11 attaché locations around the world, including Mexico, Canada, Colombia, Panama, Barbados, China, Germany, the Netherlands, the United Kingdom, Australia, and the UAE.

“These partnerships give CI the ability to develop leads for domestic and international investigations with an international nexus. In addition, attachés provide support and direction for investigations with international issues, foreign witnesses, foreign evidence, or execution of sensitive investigative activities in collaboration with our international partners,” the IRS-CI wrote in its 2022 annual report. “Attachés also help uncover emerging schemes perpetrated by promoters, professional enablers, and financial institutions. These entities facilitate tax evasion of federal tax obligations by U.S. taxpayers, as well as other financial crimes.”

IRS Accidentally Published Private Data of Nearly 120,000 Taxpayers

 

The Internal Revenue Service confirmed last week that it had accidentally exposed data for taxpayers’ IRAs to some non-profits and other tax-exempt entities, following a Wall Street Journal report that stated approximately 120,000 taxpayers who filed a form 990-T may have been impacted by the error.

Form 990-T is used for reporting 'unrelated business income' paid to a tax-exempt organization, such as nonprofits (charities) or IRA and SEP retirement accounts. The income is commonly generated from sales unrelated to a nonprofit's primary motive or real estate investments that pay income into an individual retirement account. 

According to the Treasury Department, only 501(c)(3) organizations are bound to make their Form 990-T available for public inspection. But in this case, a human coding error resulted in data from some non-501(c)(3)s also being made available for bulk download through the IRS' search portal for tax-exempt organizations. 

The Washington-based department stated the data leak was unearthed on August 26 but didn’t disclose how long the confidential information had been publicly available. Exposed data included names, contact details, and reported income for those IRAs. However, social security numbers, individual tax returns, and other sensitive data were not leaked. 

“The IRS recently discovered that some machine-readable (XML) Form 990-T data made available for the bulk download section on the Tax Exempt Organization Search (TEOS) should not have been made public. This section is primarily used by those with the ability to use machine-readable data; other more widely used sections of TEOS are unaffected.” Anna Canfield Roth, the Treasury’s acting assistant secretary for management, said in the letter. 

The Treasury announced that the data has been removed from the website, and the agency will replace them with the correct documents in the coming weeks. The IRS also plans to contact all the impacted taxpayers. Additionally, the IRS will notify Congress as it is bound to inform of any security incident involving more than 100,000 individuals under the Federal Information Security Modernization Act. 

“The IRS took immediate steps to address this issue. The files have been removed from IRS.gov and will be replaced with updated files in the near future. The IRS is continuing to review this situation. The Treasury Department has instructed the IRS to conduct a prompt review of its practices to ensure necessary protections are in place to prevent unauthorized data disclosures,” Roth further stated.

Cybercriminals Impersonate Government Employees to Spread IRS Tax Frauds

 

At end of the 2021 IRS income tax return deadline in the United States, cybercriminals were leveraging advanced tactics in their phishing kits, which in turn granted them a high delivery success rate of spoofed e-mails with malicious attachments. 

On April 18th, 2022, a notable campaign was detected which invested phishing e-mails imitating the IRS, and in particular one of the industry vendors who provide services to government agencies which include e-mailing, Cybercriminals chose specific seasons when taxpayers are all busy with taxes and holiday preparations, which is why one should be extra cautious at these times.

The impersonated IT services vendor is widely employed by key federal agencies, including the Department of Homeland Security, as well as various state and local government websites in the United States. The detected phishing e-mail alerted victims about outstanding IRS payments, which should be paid via PayPal, and included an HTML attachment which looked like an electronic invoice. Notably, the e-mail has no URLs and was delivered to the victim's mailbox without being tagged as spam. The e-mail was delivered through many "hops" based on the inspected headers, predominantly using network hosts and domains registered in the United States.

It is worth mentioning that none of the affected hosts had previously been 'blacklisted,' nor had any evidence of bad IP or anomalous domain reputation at the time of identification. The bogus IRS invoice's HTML attachment contains JS-based obfuscation code. Further investigation revealed embedded scenarios which detected the victim's IP (using the GEO2IP module, which was placed on a third-party WEB-site), most likely to choose targets or filter by region. 

After the user views the HTML link, the phishing script shall prompt the user to enter personal credentials, impersonating the Office 365 authentication process with an interactive form.

The phishing-kit checks access to the victim's e-mail account through IMAP protocol once the user enters personal credentials. The actors were utilizing the "supportmicrohere[.]com" domain relying on the de-obfuscated JS content. 

Threat actors most likely tried to imitate Microsoft Technical Support and deceive users by utilizing a domain with similar spelling. The script intercepts the user's credentials and sends them to the server using a POST request. Login and password are sent to the jbdelmarket[.]com script through HTTP POST. A series of scripts to examine the IP address of the victim is hosted on the domain jbdelmarket[.]com. The phishing e-header emails include multiple domain names with SPF and DKIM records. 

A Return-Path field in the phishing e-mail was set as another e-mail controlled by the attackers which gather data about e-mails that were not sent properly. The Return-Path specifies how and where rejected emails will be processed, and it is used to process bounces from emails.

IRS Warned of an Ongoing IRS-Impersonation Scam

 

The Internal Revenue Service (IRS) has cautioned of ongoing phishing assaults impersonating the IRS and targeting educational establishments. The assaults focus around colleges staff and understudies with .edu email addresses and use tax refund payments as snare to lure clueless victims. The IRS said the phishing emails “appear to target university and college students from both public and private, profit and non-profit institutions.” 

It added that the suspect emails show the IRS logo and utilize different headlines, for example, "Tax Refund Payment" or "Recalculation of your tax refund payment." Clicking on a link takes victims to a phony site that requests individuals to submit a form to claim their refund. 

Abnormal Security researchers who detected these assaults in the wild, recently said that they circumvent Office 365 security and landed in the mailboxes of between 5,000 and 50,000 targets. "This impersonation is especially convincing as the attacker's landing page is identical to the IRS website including the popup alert that states' THIS US GOVERNMENT SYSTEM IS FOR AUTHORIZED USE ONLY', a statement that also appears on the legitimate IRS website," Abnormal Security revealed. 

 The phishing site requests taxpayers to provide their: 

• Social Security number
• First Name 
• Last Name 
• Date of Birth 
• Prior Year Annual Gross Income (AGI)
• Driver's License Number
• Current Address 
• City
• State/U.S. Territory 
• ZIP Code/Postal Code
• Electronic Filing PIN

Hank Schless, Senior Manager, Security Solutions at Lookout, says, "At this time of year, attackers will pose as members of the IRS to socially engineer employees into sharing sensitive tax-related information such as social security numbers or bank account information." 

Schless adds, “Security teams should be protecting employees across all endpoints to ensure they don’t fall victim to a phishing attack or download a malicious attachment that compromises the organization’s entire security posture. These scams are most effective on mobile devices, and attackers know that and are creating phishing campaigns like this to take advantage of the mobile interface that makes it hard to spot a malicious message. People access their work email on a smartphone or tablet just as much as they do on a computer. Any text, email, WhatsApp message, or communication that creates a time-sensitive situation should be a red flag. Employees should approach these messages with extreme caution or go straight to their IT and security teams to validate it.”

Email Scam Under the Name of IRS Try to gain EFIN of Tax Preparers

 

A lot of people are familiar with the US Internal Revenue Service (IRS) scam letters about the tax season that are phishing for money. Now, in a virtual version of the fake IRS letter, a different kind of IRS scam aims for tax practitioners. 

The IRS has instructed tax practitioners to seek for the scam that tries to obtain the E-Filing Identification Number (EFIN) of a victim. Here, intruders use a fake email to attack the identity and customer information of tax preparers. Besides, attackers can impersonate the tax preparer and submit fake tax returns to receive refunds, if they have the data. 

The hoax started with a scam email, as per the IRS. The message claimed to have come from 'IRS tax e-filing.' This was an e-mail that went under the heading - ‘Verifying your EFIN before e-filing.’ The e-mail informs the tax preparer that certain documents are to be sent to check and get approved by the e-file staff. It then requests a copy of its EFIN and the license number of its driver. To make the situation more urgent, the email warns that, unless you comply, the IRS will disable e-filing access for the tax preparer. 

This season, many other major tax scams have also been identified by the IRS and other sources. For example, the IRS cautioned taxpayers in early February against threatening 'ghost' preparers of the tax return who are refusing to sign the returns they are making. Every return prepared needs the Preparer Tax Number and it should be signed by the tax preparers as well. The IRS says that the lack of signature may suggest the fraudulent activity of the tax preparer. They may be promising, depending on the size of those refunds, for example, big refunds charging huge fees and accordingly. 

Through investing in their e-mail security defense, organizations can protect themselves and their users against such an IRS scam. One way they could do this is to develop a safety education program and educate employees about some of the most common kinds of publicly available tax-based phishing emails and other scams. Organizations should continuously test their employees to keep their employees informed of this IRS scam and similar attacks. Threat intelligence should be used to keep up with the latest tax scams. 

Furthermore, the IRS advised the tax preparers to avoid undertaking any of the email steps. It's best to delete the email and not respond in any way.

Fraudsters Target US Tax Experts in Ongoing Phishing Campaign

 

Scammers are targeting US tax professionals in ongoing series of phishing attacks to steal Electronic Filling identification Numbers (EFINs). The International Revenue Service (IRS) has alerted US tax experts regarding the phishing campaign and suggested taking precautionary measures to avoid any loss.

The ongoing series of phishing attacks was started right before the US tax season with the target of stealing both users’ data and tax professionals’ identity. Scammers trick tax preparers by sending phishing emails and asking them to email their copies of “EFIN (e-file identification number) verification and Driver’s license” as a part of the fake verification process.

To make the verification process more authentic scammers threaten the potential victims to freeze their accounts they use to file tax documents online. Due to lack of knowledge or fear the victims hand over their information to the scammers. Once the scammers receive the information, they can file tax returns illegally for refunds by acting as tax professionals. 

IRS Tax E-Filling’ is used as the sender name by scammers in emails and ‘Verifying your EFIN before e-filing as a subject line followed by the content mentioned below:
“In order to help protect both you and your clients from unauthorized/fraudulent activities, the IRS requires that you verify all authorized e-file originators prior to transmitting returns through our system. That means we need your EFIN (e-file identification number) verification and Driver’s license before you e-file."

“Please have a current PDF copy or image of your EFIN acceptance letter (5880C Letter dated within the last 12 months) or a copy of your IRS EFIN Application Summary, found at your e-Services account at IRS.gov, and Front and Back of Driver’s License emailed to complete the verification process. If your EFIN is not verified by our system, your ability to e-file will be disabled until you provide documentation showing your credentials are in good standing to e-file with the IRS.”

Tax experts targeted by this ongoing phishing campaign are recommended not to respond to suspicious emails and to send the emails (as file attachments) to phishing@irs.gov. Tax professionals can also report to the Treasury Inspector General for Tax Administration for further analysis by the IRS Criminal Investigation division.

Fraudsters are Using Fake W-8BEN Forms for 2021 Tax Season

 

A huge number of US citizens get ready for the 2021 tax season, swarms of fraudsters and scammers are getting ready to rip off residents and non-residents alike. Fraudsters had a promising beginning foreseeing the buzz encompassing tax filing season, with phishing efforts impersonating the government agency as early as November 25, 2020, as indicated by Bitdefender Antispam Lab. Spikes in IRS-related phishing tricks scams were seen on January 19 and 21 when a large portion of the incoming agency-related correspondence was set apart as spam. 

Authorities say a huge number of individuals—from regular residents to sophisticated professionals—fall prey to IRS and other scams every year, losing millions of dollars in the process. As per a Federal Trade Commission (FTC) report, imposter scams cost Americans some $667 million in 2019—and those were only the cases reported to authorities. Numerous victims never document reports, regularly out of shame.

This warm-up was no happenstance, since the 2020 fiscal year rounded up, round about $2.3 billion were involved in tax fraud, as indicated by the agency’s annual report. Identity thieves utilized stolen Social Security numbers and other personally identifiable information (PII) to file early tax returns in the name of legitimate taxpayers, or utilized frivolous tactics to startle recipients into making prompt payments to stay away from arrest or deportation. 

Fraudsters are focusing on non-residents in the US utilizing a phony variant of the W-8BEN Form (Certificate of Foreign Status of Beneficial Owner for United States Tax Withholding and Reporting) to steal sensitive information. This rendition of the scam has been spotted more than 80,000 times since November 25, 2020, with more recognizable spikes expected to hit inboxes until April 15. Unlike traditional phishing, which expects recipients to get to a spoofed website or download a malicious attachment, scammers have set up a phony fax number where recipients should forward their data. The fake version will advise you to give specific data excluded from the genuine W-8BEN US tax exemption document, for example, your passport number, profession, mother's maiden name, bank account name and number and investments. 

Fraudsters have additionally reused older renditions of IRS impersonation scams by utilizing the Economic Impact Payments as a feature of The Coronavirus Aid Relief, and Economic Security (CARES) Act.