Tax identity fraudsters target third-party payroll sites: are you protected?

Tax identity fraud is on the rise this year, possibly due to criminals getting craftier in their choice of breach targets. According to a series of reports from Brian Krebs, fraudsters are now targeting third-party payroll services.

What Happened?

It is well known that attackers like to find low-hanging fruit in order to get into an organization’s juiciest targets. Sometimes this is through outside vendors (as in the Target breach); sometimes this is through phishing of individuals in an organization of whom they can make use as a foothold to get into accounts with access to more valuable data (as in the RSA breach). In this recent uptick in tax identity fraud criminals have been targeting the HR departments of various organizations in order to get the W-2s of employees in order to file fraudulent tax returns.

At the beginning of this year’s tax season, criminals seem to have discovered that they could get a bigger payday by targeting smaller (and likely less protected) organizations that outsource their payroll services to a third party. By stealing the organization’s login credentials for the payroll company’s site, attackers were able to get the organization’s employee data. And once they knew what to look for, they were able to repeat this procedure at several other organizations, likely using phishing or malware designed to harvest login details for the payroll site.

The attackers may have been able to gather employee names, addresses, birthdays, Social Security Numbers and pay information, which would have given them all they needed to file a fraudulent return purporting to be filed by those employees. In all, thousands of employees have been affected.

What can we do?

Many smaller companies feel that they are less apt to be targets of cybercrime because they think they have “less value” as a target. Furthermore, they may feel they do not have the budget to protect themselves. Criminals can and will use any tidbit of information they can gather in order to increase their payout. In the case of the Target breach, attackers breached a regional heating and air conditioning company (HVAC) that does work for Target stores, then exploited the firm’s Internet connection to the retail giant to execute a much bigger heist.

In light of this, small businesses need to be every bit as cognizant of protection as larger organizations, and to avail themselves of the many ways in which they can protect themselves at little or no extra cost.

  • Two-Factor Authentication
    The third-party payroll company that was breached as described above now offers two-factor authentication to its users. Whenever this option is available, whether for payroll companies or when using any other online services, you should enable it.
  • Anti-Phishing scanning
    When criminals become aware of poorly-defended third-party sites that are of value to them, they can use this information to craft phishing emails to trick people out of their login credentials. Using anti-phishing scanners in browsers and email can greatly decrease the likelihood of users being tricked into disclosing their login credentials. While education is very helpful (and highly recommended!) to prevent phishing, fraudsters can sometimes craft links that are compelling enough to trick all but the most expert users. Anti-phishing scanning can be extra helpful with those particularly deceptive phish.
  • Anti-Malware techniques and technology
    Criminals may also target users with malware that has keystroke logging, which would allow them to steal login credentials without having to trick users into going to a phishing site. The usual anti-malware advice applies here: be sure to keep all your software up to date, educate your users about when it is unsafe to open attachments, and use updated anti-malware and firewall software.
  • Network Segmentation
    The best way to limit damage should a criminal gain access to an organization is to set permissions within your organization to allow access to only those things a user must access in order to do his or her job. The HVAC contractor in the Target breach should not have had access that could be leveraged to compromise retail Point of Sale terminals, as this was not necessary to perform their job.
  • Encryption
    Encrypted data may be less accessible and thus less valuable to criminals. When data are on disk, make sure they are encrypted. Most major operatingsystems offer this ability at no extra cost. Encrypting sensitive data in transit is important too. Email and IM are not generally encrypted, unless you use a separate program designed to encrypt this traffic. Web traffic may be encrypted – look for HTTPS or a lock icon at the beginning of a URL to see whether the traffic has been secured. (But be aware that phishing sites sometimes use fake lock icons to inspire misplaced confidence in the unwary user.)

While the IRS has begun to employ new methods to detect tax identity fraud, the best way to prevent fraud is to prevent attackers from gathering the data they need to do this in the first place. Whether your business is big or small, the methods are much the same (small businesses simply have less organizational and technological complexity!). Thankfully, as protection technology has improved, it has also become cheaper and easier to access and to use effectively. By taking the time to apply these protections, businesses can make themselves less attractive to criminals.


Author , ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.