Navigate the current cyber risk landscape with Coalition’s Cyber Threat Index 2024Get the report
Cyber Incident? Get Help

Common Cyber Tax Fraud Schemes (and How to Help Mitigate Them)

Common Cyber Tax Fraud Schemes (and How to Help Mitigate Them)

Tax season is upon us in the U.S. and Canada. This is a favorite time of year for just about no one except cybercriminals looking to capitalize on unsuspecting businesses and their employees.

Bogus 401(k) notices, phony payroll services providers, promises of a “massive” tax return — the list of scams targeting taxpayers and tax professionals grows every year. Recently, the IRS warned tax preparers of “new client” scams ahead of the 2024 filing season.

During tax season, businesses tend to unknowingly lower their defenses to attackers, especially if they outsource accounting, human resources, or other administrative work. In these instances, employees are more likely to receive emails and tax documents from unfamiliar third parties, which can increase their willingness to click on otherwise suspicious links and even transmit sensitive data in unencrypted emails.

Knowing that cyber claims can spike this time of year, we approached Shelley Ma, Incident Response Lead at Coalition Incident Response (CIR), an affiliate of Coalition, to learn more about how threat actors dupe businesses and individuals to steal tax information, how they use that data to make money, and how brokers should advise their clients to help them avoid becoming victims.

What is cyber tax fraud?

Cyber tax fraud is a type of cyber event in which a threat actor steals sensitive information for the purpose of committing tax fraud. Typically, cybercriminals use stolen data to file fraudulent tax returns and claim tax refunds.

These events can impact businesses and individuals alike, though the most common targets of these seasonal attacks are certified professional accountant (CPA) firms due to the volume of sensitive financial data they store.

“Cyber tax fraud was most prevalent 8-10 years ago, when tax software was almost exclusively hosted on local premises by firms with poor security and Remote Desktop Protocol (RDP) accessible to the public internet,” noted Ma. “Threat actors would access their servers, steal tax documents, and file returns to collect refunds for themselves.”

This type of cybercrime has slowed over time but remains prevalent among financial firms, especially this time of year. What’s more, these crimes often go undetected until the proper tax return is filed and the IRS sends a bounce-back noting the taxes were already filed.

Why CPAs are a prime target for cyber tax fraud

Threat actors target CPA firms for the promise of a larger payday: stealing dozens, even hundreds, of tax returns at once is far more lucrative than targeting one person or business at a time. During the bustle of tax season, these firms are also far less likely to spot anomalies or perform rigorous security audits.

Yet, what enables these events is something we see repeatedly: Almost all cyber tax fraud starts with a phishing email these days.

Below are four common ways CPA firms are targeted by cyber tax fraud schemes:

1. Email credential harvesting

An accountant at a CPA firm clicks on a phishing email, which leads to credential harvesting (the theft of login information) for their email account. Then, the threat actor uses that email access to reset credentials in the tax portal or software. Even easier, a threat actor might be able to obtain client data directly from the accountant’s inbox. Many documents, like W-2s, contain Social Security numbers and are emailed without encryption during tax season.

2. Tax software credential harvesting

An accountant clicks on a phishing email that leads to credential harvesting for the tax software itself. First, the phishing email prompts the accountant to sign into a fake tax portal. Then, the threat actor uses the stolen credentials to log into the tax software directly. This scheme is more effective if multi-factor authentication (MFA) isn’t enabled.

3. Tax portal credential harvesting

A phishing email leads to the harvesting of credentials for the tax portal, which is the backend account management console for CPAs. Then, the threat actor logs into the tax portal with the stolen credentials, creates a fraudulent account, and sets up access using their own email address to mimic the CPA’s domain to access the tax software. This scheme is more sophisticated, which makes the threat actor harder to detect unless the firm performs regular security audits or checks their sign-ins and logs.

4. Social engineering

An accountant clicks on a phishing email from a threat actor posing as IT support to obtain remote access to a workstation belonging to a CPA firm. Once access to a workstation is obtained, the threat actor often moves laterally to servers to access locally stored information.

Almost all cyber tax fraud starts with a phishing email these days.

Case study: Cyber tax fraud goes undetected for months

A small accounting firm discovered signs of a cyber event after the tax filings for nearly two dozen clients were flagged as fraudulent and blocked by the IRS. Months earlier, a threat actor had stolen and submitted the filings, rerouting the tax refunds to another account.

CIR investigated the firm's tax filing software and discovered that illegitimate user accounts had been created within the tax portal and that an unauthorized computer was used to submit the fraudulent tax returns. To avoid detection, the threat actor created a lookalike domain and email address to mimic that of the firm.

“We found evidence of business email compromise but couldn’t definitively link it to tax fraud due to the time that passed between the event and its discovery,” said Ma. “The software provider claimed it sent an email alert about the changes to administrative permissions, but we found no trace of any such communication.”

Ultimately, the firm’s cyber insurance policy covered the forensic investigation costs, as well as the notification costs and credit monitoring for clients whose data was compromised.

Cyber tax fraud can impact all businesses

CPA firms aren’t the only businesses that need to be on high alert about cyber tax fraud.

Whether it’s receiving a W-2 from an employer or solicitations from financial institutions, people have grown accustomed to discussing and sharing sensitive information during tax season. That familiarity can cause some to lower their guard to phishing attempts and, ultimately, result in cyber tax fraud.

“We’ve seen threat actors set up fake entities and offer tax services to individuals or businesses,” said Ma. “If they can get you to click, they’ll deploy malware or harvest credentials to get the information they need to file tax returns fraudulently.”

Threat actors have also been known to target executives in phishing attacks, then use a compromised executive’s email account to gain access to other employees’ tax information.

“A threat actor compromised the email account of the CFO for one of our policyholders, then emailed the HR department and requested employee W-2s,” said Ma. “The fraud went unnoticed, and the threat actor cashed out on the employees’ returns.

At a time when threat actor activity is spiking — and employees are more willing to share personal data or click on suspicious links — it’s imperative that businesses take proactive steps to reduce the likelihood of a cyber event.

Threat actors have also been known to target executives in phishing attacks, then use a compromised executive’s email account to gain access to other employees’ tax information.

6 ways to reduce the risk of cyber tax fraud

Basic cyber hygiene can go a long way to protect against cyber tax fraud. Whether your client is a CPA firm, healthcare provider, or anything in between, every business can benefit from heightened awareness and reinforced security controls:

1. Turn on MFA for all accounts: This security control is essential regardless of season, providing an additional layer of protection against the majority of cyber incidents.

2. Never click on suspicious links: Business leaders should encourage employees to exercise caution with links or attachments, especially if the message seems urgent.

3. Use a password manager to store passwords: Plus, never repeat passwords across accounts, and always a mix of capital and lowercase letters, numbers, and symbols.

4. Always know where sensitive data is stored: Businesses are advised to take inventory of their data and encrypt it at rest to ensure the data remains secure. If your client is a CPA firm, they can take additional security measures to protect customer data and reduce the risk of cyber tax fraud.

5. Embrace the security controls within tax software: Tax preparers can configure alerts to ensure they know when an account is added to the tax portal.

6. Create a geofence for specific IP addresses to access tax software: This creates a virtual perimeter around a physical location, which can help prevent threat actors from connecting to your tax software remotely and is especially effective if only a few accountants need to access the tax software.

Learn to spot the warning signs of phishing

Even outside of tax season, phishing is the most common attack vector to execute cyber attacks. As trusted risk advisors, brokers are in a position to help their clients spot the warning signs of a phishing attempt and recommend security controls that can help mitigate the risk of a full-blown incident.

For more information on phishing, check out Coalition’s Incident Preparedness Toolkit and recent phishing case studies.

This article originally appeared in the February 2024 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.


This communication is not a proposal of insurance. This communication is designed to provide general information on the topic presented and is not intended to construe or the rendering of legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this communication do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition will not be liable for any losses and damages in connection with your use or reliance upon the information. Copyright © 2024. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.