Criminals are putting old tax returns up for sale on the dark web
- Identity theft has reached rock-bottom prices — old tax documents can be had for as little as $1.
- Old tax documents can be used to file fraudulent returns or as backup to set up other accounts in a victim's name.
- A criminal can also leverage access to a bank account to launder stolen money, without the account holder's knowing.
Most people trust their accountant. But security breaches at accounting firms and legal firms are contributing to the plethora of tax information available at rock-bottom prices online, according to a cybersecurity executive.
These documents — which include prior years' tax returns and forged W-2s — can now be had for rock-bottom prices, according to a report from Carbon Black, a cybersecurity firm. The report pulled up 10 listings of name-date of birth-Social Security number combinations, which ranged in price from 19 cents to $62. Prior-year tax forms, on sale by three different vendors, cost from $1.04 to $52. (People with higher incomes, and whose identity hasn't yet been stolen, command higher prices.)
Old tax returns have many uses. The information on them can be used to file fraudulent tax returns for future years, netting a quick cash take for a criminal. But tax documents can also be used for longer-term schemes. One dark web vendor advertised forged W-2 forms and noted their possible use in setting up a P.O. box or to show proof of employment, as might be required for a loan or a lease.
"This item pairs very well with many of my other forgery items such [as] forged IDs and especially by forged Social Security cards," the listing advertised.
"These people are not trying to pickpocket you. They're trying to steal your financial future," said Tom Kellermann, chief cybersecurity officer at Carbon Black. "For a little as 19 cents for your ID and a dollar for last year's tax return, I can own you indefinitely until you have to go through the nightmare process of getting your Social Security number changed."
Other items on the dark web include bank account credentials, including access to U.S. or European bank accounts that carry a balance. Some of these accounts had balances up to $2,800 that a criminal could withdraw—but it's the account access that's the real draw, Kellermann said. A U.S. bank account gives criminals credentials to start other fake accounts as well as a place to launder ill-gotten gains. If money were deposited into an account overnight and taken out early in the morning, the account's owner could remain unaware of any balance changes.
Because these actions happen on the dark web — a part of the internet where activity is encrypted and nearly impossible to monitor — it's difficult to prosecute these criminals. And the proliferation of online-only services makes it easier for criminals to set up a financial presence without ever exposing their face, the report noted.
So what's a taxpayer to do? One common piece of advice is to avoid giving out personal information that can be used to corroborate identity theft. But that's hard for someone who doesn't feel like pushing back on every single website registration. And it's often not the consumers' fault, said Kellermann. Identification, including the most personal and intimate data, is lost most often by the businesses that are tasked with keeping it safe.
"The scourge of modern commerce is that so many businesses, particular professional business services, have terrible cybersecurity practices. ... Some of them have been hacked for a long period of time," Kellermann said.
He added, "Your family's accountant probably doesn't have great cybersecurity, even if he's part of a legitimate accounting firm."
Indeed, small and medium-sized accountants are most likely to be targeted by cybercriminals, according to a white paper from the American Institute of CPAs in 2012. That's "because these organizations tend to pay less attention to information security, controls and risk assessments and are therefore more vulnerable than larger entities. In many cases, [these businesses] don't have enough staff in the finance function and not all staff have the level of expertise to spot these issues," the AICPA report noted at the time.
To protect themselves, Kellermann said consumers should keep antivirus software on all their devices (mobile phones, tablets, computers and laptops), and should change their passwords (or, preferably, passphrases) every several months. And everyone who isn't about to move or buy a car should freeze their credit, he added. A credit freeze would prevent most unauthorized activity and is a straightforward process.
"All you have to do is call a credit bureau and put in your Social Security number over the phone," he said. "And I would recommend doing it over the phone."