After death, and taxes, we can now add a third 'certainty' to life - identity theft.



Amid the business of tax season, it's not just accountants that are toiling hard to collect their fees. As Bloomberg reports, tax season is hog heaven for cybercriminals. The thought of all that personal data just sitting around, unmolested in tax documents, inspires a torrent of creepy scammer creativity.

The Krebs on Security blog provided a glimpse earlier this year of how our tax data is bought and sold, and what scammers charge other scammers for our data.

Founder Brian Krebs came across something he hadn’t seen before on the Dark Web: Bulk sales of W-2 forms.

A scammer had phished a tax preparation firm, Krebs discovered, and was offering for sale 3,600 Florida W-2s in this cyber netherworld which, while connected to the everyday web, requires special software or authorization to access.

Bloomberg notes that the fruits of all the successful phishing attempts wind up on the Dark Web.

These offers can look run of the mill, complete with star ratings for sellers. Here is a screenshot showing sellers and their illegal wares, such as W-2s, taken from IBM’s report:

The Dark Web has its own selling language. “Fullz” means complete information on an individual, including, according to the IBM report, “payment card information, address and contact details, and other additional pieces of personally identifiable information, such as Social Security number, a driver’s license number, and any other information sold along with the set.”

An individual’s tax data is far more valuable than their credit card data. Stolen credit card data might sell for $1 or be given away to establish credibility on the Dark Web, said Limor Kessem, executive security adviser of IBM Security. Credit card accounts can be closed or frozen, and thus have a short criminal-shelf life.

“Tax filing information is probably the most premium type of record criminals can buy on the underground,” said Kessem, who has been tracking this world for eight years. “It goes for $40 or $50, and unlike credit cards, never expires. People can try and get loans in someone’s name, make fake IDs in people’s names, get credit.” And of course, the top target is filing a tax return in someone's name and getting the refund.

With phishing attacks on the rise, Bloomberg suggests a consumer’s best defense is a good offense. One of the simplest, when it comes to tax refund fraud: File your taxes early to beat would-be scammers to the punch.