Tax identity fraud is on the rise this year, possibly due to criminals getting craftier in their choice of breach targets. According to a series of reports from Brian Krebs, fraudsters are now targeting third-party payroll services.
It is well known that attackers like to find low-hanging fruit in order to get into an organization’s juiciest targets. Sometimes this is through outside vendors (as in the Target breach); sometimes this is through phishing of individuals in an organization of whom they can make use as a foothold to get into accounts with access to more valuable data (as in the RSA breach). In this recent uptick in tax identity fraud criminals have been targeting the HR departments of various organizations in order to get the W-2s of employees in order to file fraudulent tax returns.
At the beginning of this year’s tax season, criminals seem to have discovered that they could get a bigger payday by targeting smaller (and likely less protected) organizations that outsource their payroll services to a third party. By stealing the organization’s login credentials for the payroll company’s site, attackers were able to get the organization’s employee data. And once they knew what to look for, they were able to repeat this procedure at several other organizations, likely using phishing or malware designed to harvest login details for the payroll site.
The attackers may have been able to gather employee names, addresses, birthdays, Social Security Numbers and pay information, which would have given them all they needed to file a fraudulent return purporting to be filed by those employees. In all, thousands of employees have been affected.
Many smaller companies feel that they are less apt to be targets of cybercrime because they think they have “less value” as a target. Furthermore, they may feel they do not have the budget to protect themselves. Criminals can and will use any tidbit of information they can gather in order to increase their payout. In the case of the Target breach, attackers breached a regional heating and air conditioning company (HVAC) that does work for Target stores, then exploited the firm’s Internet connection to the retail giant to execute a much bigger heist.
In light of this, small businesses need to be every bit as cognizant of protection as larger organizations, and to avail themselves of the many ways in which they can protect themselves at little or no extra cost.
While the IRS has begun to employ new methods to detect tax identity fraud, the best way to prevent fraud is to prevent attackers from gathering the data they need to do this in the first place. Whether your business is big or small, the methods are much the same (small businesses simply have less organizational and technological complexity!). Thankfully, as protection technology has improved, it has also become cheaper and easier to access and to use effectively. By taking the time to apply these protections, businesses can make themselves less attractive to criminals.
Author Lysa Myers, ESET