The Business of Fraud: Tax Refund Fraud

Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Recorded Future analyzed current data from the Recorded Future® Platform, dark web sources, and open-source intelligence (OSINT) between January 2021 and November 2021 in a review of the current tax refund fraud landscape. This report expands upon findings addressed in the first Insikt Group Fraud Series report, “The Business of Fraud: An Overview of How Cybercrime Gets Monetized”.

Executive Summary

Threat actors use a diverse set of sophisticated tactics, techniques, and procedures (TTPs) to defraud tax service authorities worldwide. Overwhelmingly, however, the focus of tax fraud is the United States Internal Revenue Service (IRS). This type of fraud is not limited to identity theft but also encompasses corporate network compromise, ransomware, money laundering, and social engineering attacks. Tax return fraud is an established and perennial business on the dark web that primarily coincides with tax season in the United States from January 1 to April 15 each year.

Key Judgments

• The number of ransomware attacks and network intrusions affecting accounting firms and tax refund services providers steadily grew in 2021.
• Threat actors primarily advertise and request tax refund fraud-related services on Russian-language top-tier forums such as Exploit, XSS, and Verified; however, they sell compromised account login credentials for tax-related services mostly on the dark web shops like Genesis Store, Russian Market, and Amigos Market.
• Tax return fraud will remain a significant threat for the foreseeable future and is likely to remain largely focused on defrauding US citizens and those required to file US tax returns.

Editor’s Note: This post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.