Hackers File Fake Tax Returns To Steal IRS Refunds

Beware of Business Email Compromise (BEC) During Tax Season

The number of attempted IRS scams tends to increase every year in March and April in the U.S., as legions of crooks try to steal Americans’ refunds. Earlier this month, the IRS said attackers exploiting the COVID-19 crisis could use stolen data to commit tax fraud. Last week, attackers tried obtaining large tax refunds by posing as clients of Weber and Company, the California-based accounting firm revealed. According to Weber and Company, the scammers apparently accessed clients’ personal data, including, perhaps, Social Security numbers and bank account information, to file fraudulent returns.

The US Internal Revenue Service had encountered a large-scale cyberattack in 2015, which caused the disclosure of sensitive information for more than 100,000 taxpayers. It is reported that the hackers used suspicious e-mail to log in to the IRS information system and breakthrough the department’s identity verification system with technical means. After hacking into the tax refund platform, the hacker downloaded the taxpayer ’s current and previous complete tax payment materials, and the taxpayer ’s social security number, birthday, tax declaration status, and address and other sensitive information were stolen. The hacker’s attack on the IRS has never stopped, resulting in the IRS’s tax refund service system being forced to shut down, and the tax refund declaration information can only be obtained by mail. These hacking techniques are advanced and have clear targets. Moreover, during this period, it was precisely the time for Americans to declare and pay taxes. A total of 23 million people used the IRS information system to perform operations such as downloading tax refund documents.

Cyber Threat Hunting is an essential exercise to proactively investigate potential compromises, detect advanced threats, and improve cyber defenses. Our experts orchestrate an exhaustive and iterative process with purpose-built tools to conduct manual and semi-automated series of searches for Indicators of Compromise (IOC) and Initial Vectors of Compromise (IVOC). Our Threat Hunting Framework includes:

  • Strategic Targets & Tactics Selection
    • Define and prioritize Threat Hunting missions of Network, Endpoint and External targets and align with the internal team on procedures, tactics, techniques, processes, and policies.
    • Define operational procedures for target interrogation, collection, and response.
    • Prepare initial vectors and conditions of digital artifacts for Threat Hunting from known or behavioral intelligence such as IOCs.
  • Interrogation & Collection
    • Offensive automated and manual Threat Hunting based on the known and evolving threat landscape to discover relevant forensic artifacts.
    • Address systemic organized risk encompassing multi-staged and vectored vulnerabilities based on correlated Risk Scores, Threat Intelligence and Assessments.
    • Assurance post-breach clean-up via recurring Threat Hunting to Identify and Investigate additional malware, symptoms, and IOCs.
  • Detection
    • Investigations to uncover IOCs, malicious patterns, symptoms and adversarial Tactics, Techniques and Procedures (TTP).
    • Converge and correlate proprietary, open-source and 3rd party intelligence with LIFARS TTP.
    • Leverage Machine Learning and Artificial Intelligence Analytics with deployed tools.
  • Enablement
    • Correlate the context of TTP from attacks and attack campaigns to uncover linked data and enrichment of intelligence and hunting loop via content process advisory.
    • Provide clients with meaningful insight and visibility into defensive cyber maturity detection and response.



Contact LIFARS Immediately For
Mitigating Cyber Risks in Your Organization