Hacking Humans 6.10.21
Ep 151 | 6.10.21

Pandemic taxes: later due dates afford more time for scams.


Robert Capps: As consumers, a lot of them waited until - I think it was July - to file taxes. There were a lot more opportunities to impersonate them and file false returns.

Dave Bittner: Hello, everyone. And welcome to the CyberWire's "Hacking Humans" podcast, where each week, we look behind the social engineering scams, the phishing schemes and the criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Robert Capps. He's from NuData Security. We're going to be talking about what businesses can do to bolster their protection against tax fraud. 

Dave Bittner: All right, Joe. Before we get into our stories, we have some follow-up this week. What do we have here? 

Joe Carrigan: Dave, I wanted to talk about a story I saw on WIRED about two weeks ago. We saw a story - I think was your story - that you talked about a BazarLoader scam that used a phishing email to say you were about to be charged for some book service. I believe it was called World's Books or something like that. Well, this article in WIRED talks about a scam so similar, it pretty much has to be the same group. 

Dave Bittner: OK (laughter). 

Joe Carrigan: Right? But they're using a new hook, right? And it's a totally fake streaming site called Bravo Movies. 

Dave Bittner: Oh. 

Joe Carrigan: And if you go to the link, you'll actually see, like, broken English, terrible movie titles. It kind of looks like a streaming site. 

Dave Bittner: OK. 

Joe Carrigan: But the scam is exactly the same. You call a number to cancel your $800 service, which you didn't order. 

Dave Bittner: Right (laughter). 

Joe Carrigan: And they walk you through the same process of installing BazarLoader. 

Dave Bittner: OK. 

Joe Carrigan: So same scam, different hook. 

Dave Bittner: All right. Well, let's move on to our stories. Why don't you start things off for us? 

Joe Carrigan: Dave, my story comes from a listener named Jason (ph). And Jason actually is friends with a reality TV star who was on "The Amazing Race." Her name is Liz Hunt. 

Dave Bittner: OK. 

Joe Carrigan: And she was trying to sell a gold bracelet on Facebook, Facebook Marketplace. 

Dave Bittner: OK. 

Joe Carrigan: And somebody tried to scam her out of the gold bracelet. So he sent me the transcript of the Facebook Messenger application 'cause here's how this works. You put something on Facebook Messenger, and then you start exchanging messages with the person through the Facebook platform about how you're going to pay for it, how you're going to get it there. 

Joe Carrigan: And this person calls themselves Anthony Wing. And the first thing they do, of course, is they say, hey, is this bracelet still available? She says, yes, it is. And then he starts asking some interesting questions, like how long have you owned it? And where are you located? And she answers these questions. And he says, are you in the USA? And about what will the postage fee be? So we start to set her up. And he says, I'll include an extra hundred bucks for shipping, and I'll send you the payment now. But then what he does is he spoofs some emails because her PayPal account is an email address, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Right. So he has the email address, and he sends her an email from a fake account that looks like it's PayPal, that looks like PayPal is saying somebody has paid $3,800, and that account is on hold until you enter a tracking number - or that amount is on hold until you enter a tracking number. I haven't heard of this specific scam before, but this is a really clever scam. 

Joe Carrigan: And then he starts getting insistent that she send him the bracelet, right? He's not belligerently insistent. But he's like, OK, I've sent you the money, and it's sitting there in PayPal, even though he's never sent it. And he sends her address, and she says, OK, I'll send it tomorrow. 

Joe Carrigan: But fortunately for Liz, she is friends with our listener, Jason. She goes to Jason and says, this is starting to throw up a couple of red flags for me. So Liz sent a payment request to this Anthony guy, and Anthony sent back fake emails that look like the money had been deposited. 

Dave Bittner: Right. And it looks like it's sort of in a type of escrow, even... 

Joe Carrigan: Right, exactly. 

Dave Bittner: ...Which could give you an additional false sense of security. 

Joe Carrigan: Uh-huh, 100%. 

Dave Bittner: Yeah. 

Joe Carrigan: And Jason says, it says that I sent the request, but I don't actually see anything has been sent from you, looking at my PayPal account. And the guy goes, what do you mean? Then Jason notes that the next messages came in, like, within three seconds, right? In other words, this guy is just copying and pasting. 

Dave Bittner: Oh, he's got a whole series of scripts. 

Joe Carrigan: Right, exactly. 

Dave Bittner: (Laughter) So now I'm picturing somebody who has, you know, a couple of dozen windows open who's just click, click, click, click, click, click. 

Joe Carrigan: Yeah, out there scamming people. 

Dave Bittner: Right, right. 

Joe Carrigan: He says, I want you to know that for some security reasons, some sellers do not ship once they get the money. So PayPal has decided to receive the shipment details of the item that is being paid for by customers before the funds can be released to the seller. That is why you need to ship the item once you get the payment confirmation email. This is the email that he sent. 

Dave Bittner: Right. 

Joe Carrigan: And get back to PayPal with the shipment tracking number for them to verify once that is done. And Jason, again posing as Liz, says, I mean that my PayPal account has no funds from you. It just shows that I requested money. The emails you sent didn't come from PayPal. They came from a website that isn't PayPal. Plus, the transaction ID on PayPal from the money request and your fake email didn't match either. Nice try, right? 

Dave Bittner: (Laughter). 

Joe Carrigan: So Jason terminates this. Now, I did a little bit of looking around on this. 

Dave Bittner: OK. 

Joe Carrigan: There is no escrow service like PayPal has. PayPal says they have buyer and seller protection. And then if you - if you make a payment and somebody doesn't send you the item, then you can't really get that money back. But you can file a dispute and be made whole. 

Dave Bittner: Right. 

Joe Carrigan: I don't know how PayPal does that, working against fraud. 

Dave Bittner: Yeah. Well, remember, we've seen other versions of scams with PayPal, where someone will send you something that is not the item you ordered... 

Joe Carrigan: Right. 

Dave Bittner: ...Just so they have that shipping receipt. And that makes it a lot harder to get your money back from PayPal because the scammers can go to PayPal and say, no, no, we totally shipped them something. Look; here's the receipt from UPS or FedEx or whoever. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: And I don't know if that's just a delaying tactic, but PayPal actually has on their site - it says, what was delivered was not what was promised. 

Dave Bittner: Oh, OK. 

Joe Carrigan: So... 

Dave Bittner: That's good. That's good. 

Joe Carrigan: ...You have that option. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Right. 

Joe Carrigan: In fact, they'll even satisfy a dispute if you ordered five of something and only got four of them and the seller refuses to send you another one. 

Dave Bittner: OK. 

Joe Carrigan: First thing PayPal says on their website is, it's best for you and the seller to work things out before contacting us. 


Dave Bittner: Don't bring us into this mess. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 


Joe Carrigan: It's - I mean, I find that a little bit smarmy on PayPal's part, really. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: I mean... 

Dave Bittner: Well, yeah (laughter). 

Joe Carrigan: But in truth, you know, you should say to the seller, hey, you said you were going to send me four of them; I only got five. And the seller might very well go, that's an honest mistake. Let me send you the fifth one right now. 

Dave Bittner: Sure. 

Joe Carrigan: You know, you have, like, 60 days to file a grievance or a claim in this manner. But PayPal does not have an escrow service, which is interesting. This guy wanted to convince Liz that PayPal does have an escrow service. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: And he was trying to get a free, very expensive bracelet. 

Dave Bittner: Right, right. But thanks to our listener, Jason (laughter). 

Joe Carrigan: Yup. 

Dave Bittner: Well, and also the woman who was - who had the bracelet, she did the right thing. 

Joe Carrigan: Right. 

Dave Bittner: She slowed down. 

Joe Carrigan: Yup. 

Dave Bittner: She checked with a friend - something didn't feel right - and saved herself a lot of trouble. 

Joe Carrigan: Yeah. Yeah, 'cause she never would have gotten that bracelet back. I mean... 

Dave Bittner: No, no. 

Joe Carrigan: ...That would've just gone to somebody who had been waiting outside the address, taken the package delivery from whoever sent it. 

Dave Bittner: Yeah. 

Joe Carrigan: That's why they wanted the tracking number, is so that they know when it's going to arrive. And they don't live at this address that they sent. The address is probably the address of some innocent person or some company. And they just stand outside and go, oh, is that a package for X, Y, Z? And the FedEx guy goes, yeah, here. Take it. Take it. 

Dave Bittner: Right, exactly. I'm X, Y, Z (laughter). 

Joe Carrigan: Right. 

Dave Bittner: What a crazy random happenstance I happen to be out here. 

Joe Carrigan: Yup. 

Dave Bittner: Thanks to our listener, Jason, for sending that in. 

Dave Bittner: My story this week comes from the FBI. This is from the IC3. They're the... 

Joe Carrigan: The Internet Crime Complaint Center. 

Dave Bittner: That's right. The FBI issued a public service announcement. You know, Joe, I have to say, you are a parent. I am a parent. 

Joe Carrigan: Yes. 

Dave Bittner: Every parent's worst nightmare is the thought of one of your kids going missing. 

Joe Carrigan: Yup. 

Dave Bittner: Right? 

Joe Carrigan: Absolutely. 

Dave Bittner: And I... 

Joe Carrigan: Still keeps me up, and my kids don't even live with me. 

Dave Bittner: (Laughter) They're out of the house, and you still worry about where they are. 

Joe Carrigan: Yup. 

Dave Bittner: No, it's just the way of things. I remember one time, our youngest son went missing for a matter of minutes but at the beach, but it felt like days (laughter). 

Joe Carrigan: Right. 

Dave Bittner: You know? We just couldn't put an eye on him. And... 

Joe Carrigan: There is no place worse to have a missing kid than the beach. 

Dave Bittner: Yeah. 

Joe Carrigan: My daughter chased a seagull down the beach once and... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Terrified her mother and me. And... 

Dave Bittner: Yeah, this was similar. He had a heart - so, you know, he was down at the seashore with his brother. And, you know, we were sort of camped out a little farther up on the beach. And they - his brother came back to - you know, I don't know what - get a soda or who knows, you know? And we were like, well, where's your younger brother? He's like, oh, I don't know. 

Joe Carrigan: (Laughter). 

Dave Bittner: You were supposed to be watching him. Oh, sorry. 

Joe Carrigan: (Laughter). 

Dave Bittner: So, you know, anyway, so we go looking for the younger one, can't find him. Panic ensues, of course (laughter). 

Joe Carrigan: Right, yeah. 

Dave Bittner: But you know what? He did the right thing. He couldn't find his way back to us, so he just went over to the lifeguard station and sat down in front of the lifeguard station and just figured, well, if they - they're going to look for me. They're going to come check with the lifeguard first. 

Joe Carrigan: Right. 

Dave Bittner: And sure enough, that's what happened. There he was. Happy ending. Anyway, long story short - I know, too late. 

Joe Carrigan: (Laughter). 

Dave Bittner: The IC3 is talking about scammers who are using social media to target victims of missing persons cases. So a family has an incident of a missing person. Let's say - I don't know - a teenager runs away. 

Joe Carrigan: Right. 

Dave Bittner: Or just anyone - anyone in the family goes missing. And a family, who is in great distress over this, of course, they start putting the word out on social media that this person is missing. If you know anything, please contact us, so on and so forth. And these scammers - they monitor social media for these things, and then they follow up with the families and demand a ransom for the missing person. And the ransom is typically between $5,000 and $10,000. The FBI noted that for some reason, $7,000 is a common ask of these bad folks. I don't know why, but there's that. 

Dave Bittner: And they highlight several cases here, where folks had reported someone missing, they reached out on social media to ask for help, someone contacted them demanding a ransom, and it turns out the person was not actually missing. Time passed, and the person was found unharmed... 

Joe Carrigan: Right. 

Dave Bittner: ...Had been, you know, visiting a friend - who knows what? These... 

Joe Carrigan: Most of these things end that way, actually. 

Dave Bittner: Yes. Yes, exactly. So one thing that the FBI wanted to do - obviously, they want folks to be aware of these scams. And, you know, we're doing our part here to (laughter) help spread the word about that. 

Joe Carrigan: Yes. 

Dave Bittner: But they also said that if anyone reaches out to you for something like this, please contact your local FBI field office. 

Joe Carrigan: Right. 

Dave Bittner: And they say, obviously, keep all the documentation, emails, text messages. Take screen captures - all that kind of stuff. Don't delete anything before law enforcement's able to review it. But they also make a really good point. They say it's important that you tell them everything about the online encounters, even though some of it might be embarrassing for the parent or the missing person, you know, especially if everything turns out to be fine. And I could easily imagine being embarrassed that you nearly fell for a scam like this. 

Joe Carrigan: Right. Well, I don't know that I would be embarrassed by that. I mean, you are in a distressed emotional state. 

Dave Bittner: Yeah. 

Joe Carrigan: We frequently talk about the distressed emotional state these guys try to induce, right? Well, why not skip that step... 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: ...And already hit somebody in a distressed emotional state... 

Dave Bittner: Right, right. 

Joe Carrigan: ...Who's not thinking clearly. 

Dave Bittner: Oh, yeah. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: And start asking them for money. Now, we've heard other stories a while ago about kidnapping scams where somebody just calls you out of the blue and says, we've kidnapped your daughter. And they have someone in the background screaming. 

Dave Bittner: Right. 

Joe Carrigan: Which is also equally despicable as this. I mean... 

Dave Bittner: Yeah. 

Joe Carrigan: ...I'd like to get my hands on these people, Dave. 

Dave Bittner: (Laughter) It's tough. It's tough. 

Joe Carrigan: Yeah, it's so hard. They target these people. My point is, I would not be embarrassed about this. I would not - I'd try not to feel embarrassed about it. Yeah. 

Dave Bittner: Right. 

Joe Carrigan: I understand maybe you do feel that way, but try not to. You have been targeted by some slimeball. 

Dave Bittner: Yeah, yeah. And law enforcement are - they're going to be empathetic. They're not... 

Joe Carrigan: Right. 

Dave Bittner: ...Going to shame you or, you know, tell you everything you should have done better to - that's not going to happen. The more information you can give them, the more likely it is that they'll be able to connect the dots and hopefully bring justice to these folks. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. So we'll have a link to that. It's actually a public service announcement from the FBI - interesting read. It's a short read but has a few examples of some of the things they're tracking. So that is my story for this week. 

Dave Bittner: Joe, it is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from Reddit user Gilfirkin. They were targeted by a crypto scammer who promised outrageous returns. 

Dave Bittner: (Laughter) OK. 

Joe Carrigan: So why don't you read the part of the scammer, and I'll read the part of Gilfirkin? 

Dave Bittner: All right. 

Dave Bittner: (Reading) Hey. 

Joe Carrigan: (Reading) Hey. 

Dave Bittner: (Reading) How are you doing? 

Joe Carrigan: (Reading) OK. So many people now messaging me about investing - so many. 

Dave Bittner: (Reading) Same here, Dorothy. Where are you located? 

Joe Carrigan: (Reading) Good old U.S. of A. 

Dave Bittner: (Reading) You mean United States of America. 

Joe Carrigan: (Reading) Yes. 

Dave Bittner: (Reading) OK. Same here. I got connected to you from Tron group. Are you currently investing into that? 

Joe Carrigan: So Tron is a coin. There's a crypto coin called Tron right now. Just a little bit of background. 

Joe Carrigan: (Reading) I joined the group because my grandson sent me some of this Tron stuff. He said I should learn how to be more up to date. He is such a good boy. 

Dave Bittner: (Reading) That's nice. How much worth of Tron do you have in your possession? 

Joe Carrigan: (Reading) How do I check how much it's worth? 

Dave Bittner: (Reading) What platform do you have your Tron? Log to your wallet where you've got the Tron. Make a screenshot. Let me see. Understood? 

Joe Carrigan: (Reading) Wait. I'm talking to someone else who says they can get me larger returns. I want to get the most I can. 

Dave Bittner: (Reading) This is what I mean. 

Joe Carrigan: And he sent a picture of the wallet, of a Tron coin wallet. And he's trying to get Dorothy to send the information. He goes on. 

Dave Bittner: (Reading) How much can that returns be? 

Joe Carrigan: (Reading) Yeah, 10 times my money back. 

Dave Bittner: (Reading) Oh, that's poor. 

Joe Carrigan: (Reading) It's better than what you offered. 

Dave Bittner: (Reading) What did I offer? I never offered anything to you yet, was trying to know how much you had in your Tron wallet. So when did I offer anything to you? 

Joe Carrigan: (Reading) Oh, I'm sorry. That must have been one of the other 30 people that messaged me. I'm so confused right now. It's impossible to keep this all together. 

Dave Bittner: (Reading) So this guy is offering you 10 times your money daily - returns daily? But have you thought about making that money every one hour? That's what I've to offer you. So you know how much you'll be making every one hour? Ten times returns on your investment every one hour. 

Joe Carrigan: (Reading) Wow. Let me do some maths. To confirm, 10 times per hour. How long can I invest? Like, will you let it grow if I leave it with you for a little bit? 

Dave Bittner: (Reading) Oh, yes. It's a long-term investment. I'll let it grow till you're ready to withdraw. You'll know how much you'll be making. 

Joe Carrigan: (Reading) So wait one sec. 

Dave Bittner: (Reading) So how much do you have to invest? 

Joe Carrigan: (Reading) OK, so if I invest $500 with you and leave it with you for nine hours, that will be a return of $1.6 trillion. Are you able to deposit every cryptocurrency into my wallet because you are promising more than the entire market capitalization? 

Dave Bittner: (Reading) Yes. 

Joe Carrigan: (Reading, laughter) Dude, bloody hell. How do you plan to do that? 

Dave Bittner: (Reading) It's $45,000, not 1.6 trillion. What did you calculate? 

Joe Carrigan: (Reading) Ten times per hour for nine hours. That's $500 times 10 to the ninth power. 

Dave Bittner: (Reading) Five hundred times 10 in nine hours is $45,000. 

Joe Carrigan: (Reading) Not even close. Did you study maths at all? I must admit, it makes it easier to see through the scams when your grasp of basic maths is so bad. 

Dave Bittner: (Reading) Five hundred times ten is what? 

Joe Carrigan: (Reading) You said per hour. So it's 500 times 10 for the first hour, then times 10 for the second hour. 

Dave Bittner: (Reading) Yes. 

Joe Carrigan: (Reading) Then times 10 for the third hour. 

Dave Bittner: (Reading) Answer my question. 

Joe Carrigan: (Reading) Which for nine hours is 500 times 10 times 10 times 10 times 10 times 10 times 10 times 10 times 10 times 10. 

Dave Bittner: (Reading) Five hundred times 10 is what? 

Joe Carrigan: (Reading) For the first hour, I start with $500, and I end up with $5,000. Then that $5,000 invested goes to $50,000. 

Dave Bittner: (Reading) OK. Now listen; you've invested $500. And in an hour, you've got $5,000. One hour, you have 5K. 

Joe Carrigan: (Reading) You said 10 times in an hour. How much money do I have at the start of the second hour? Five thousand dollars? 

Dave Bittner: (Reading) Ten times returns in an hour is $5,000. 

Joe Carrigan: (Reading) Right. Then you take that $5,000 and multiply it by 10 only for the first hour. Then the second hour is two times. 

Dave Bittner: (Reading) Listen to me. 

Joe Carrigan: I love this. She's starting to frustrate this guy. It's really great. 

Joe Carrigan: (Reading) And the returns decrease. Ten times per hour means the amount goes up by 10 times per hour. 

Dave Bittner: (Reading) You can't say that the second hour you're investing the 5K you made in the first hour. 

Joe Carrigan: (Reading) This is amazing. 

Dave Bittner: (Reading) Your 500 is what runs the trade. So after your first 5K, it compounds automatically with your 500 initial deposit. 

Joe Carrigan: (Reading) Please don't delete this chat because YouTube is going to love it. 

Dave Bittner: (Reading) And gives you another 5K, which is 10K in two hours. So I don't know where you're calculating yours from. 

Joe Carrigan: (Reading) Oh, my God. I can barely breathe. This is the best. You need to read up on compound interest. 

Dave Bittner: (Reading) You make profit from your invested amount. 

Joe Carrigan: (Reading) Not simple interest. 

Dave Bittner: (Reading) Do you even know what you're saying? 

Joe Carrigan: (Reading) Yes, I do. That's why it's funny. 

Dave Bittner: (Reading) I don't think so. 

Joe Carrigan: (Reading) I know. That's what makes this even funnier. 

Dave Bittner: (Reading) You invested 500. And in one hour, you make 5K. 

Joe Carrigan: (Reading) Yup, then you have $5,000 invested, not $500. If I invested $5,000, how much would you pay me at the end of an hour? 

Joe Carrigan: And that's where the conversation seems to end. 

Dave Bittner: (Laughter). 

Joe Carrigan: I think at this point in time, the guy probably just got tired of this... 

Dave Bittner: Yeah. 

Joe Carrigan: ...And realized he was getting jerked around by this user. But this is good work. You kept somebody busy for a little bit. They thought they had you on the hook. I don't know if this person actually has 30 other scam attempts going on at the same time, but I would not be surprised. 

Dave Bittner: Yeah, good to eat up some of their time (laughter). 

Joe Carrigan: Yep, absolutely. Thank you very much for sharing that on Reddit. 

Dave Bittner: All right, well, that is our Catch of the Day. We would love to hear from you. If you have something you'd like for us to share on air, you can send it to hackinghumans@thecyberwire.com. 

Dave Bittner: Joe, I recently had the pleasure of speaking with Robert Capps. He is from NuData Security. And our conversation focused on what businesses can do to bolster their protection against tax fraud. Here's my conversation with Robert Capps. 

Robert Capps: The interesting piece about last tax season is that they pushed the date out so long. And so that allowed some fraudsters to impersonate more consumers before Tax Day. And as consumers, a lot of them waited till - I think was July - to file taxes. There were a lot more opportunities to impersonate them and file false returns. And that did happen. 

Robert Capps: Also last year around COVID, we saw a lot of data breach, a lot of loss of consumer information from various web properties around the internet. And that information also fueled those IRS return scams and things like unemployment scams around the U.S. 

Dave Bittner: Yeah. For folks who aren't familiar with it, can you give us the basics of how a tax fraud scam works? 

Robert Capps: Consumer or commercial, it has everything to do with getting a tax return filed in the name of an organization or a person prior to them being able to file. And those filings tend to be focused on creating a tax refund - so a refundable balance with the IRS - and then giving banking credentials to the IRS to transfer that refund into a malicious actor's account - you know, a cybercriminal, a fraudster. Once that money is in their account, they go through the normal process of washing that money and sending it to money mules and then getting it out of the country or getting it into the hands of the fraudster themselves. 

Dave Bittner: And then the unwitting taxpayer or business comes behind and files their taxes as they normally would, and the IRS comes back and says, hey, not so fast. We've already processed your return. 

Robert Capps: Yep. And then the individual, the organization, is on the hook to prove they didn't. In previous years, that was very difficult. As tax fraud or return fraud has become a more common occurrence, the IRS now has better mechanisms for dealing with those false returns and helping consumers resolve those issues. 

Robert Capps: Now, of course, with COVID, staff aren't necessarily in the office, or there are fewer staff in the office, and that makes it harder to get the kind of attention that you need. Now, they're still there to help. There are just a lot more people needing help and fewer people doing the work, so you have to be patient, unfortunately. 

Dave Bittner: What sort of things can folks do? I mean, are there the equivalent of, you know, multifactor authentication for filing taxes? 

Robert Capps: Yeah. So going and making sure that you create your online IRS accounts and you've got to login a password associated with your Social Security number or taxpayer ID number on file with the IRS helps tremendously. There are mechanisms for putting PINs and other authenticators on your returns that must be known in order to get your hands on future returns or your past - copies of your past returns. It's not too difficult to order transcripts of someone's previous returns to get things like adjusted gross income and other information from those accounts. The IRS has made it harder over the last couple years to get that information, but it was rather simple in previous tax years to get that information. And that makes it really easy to do things like online tax filings for a consumer. 

Dave Bittner: What about for businesses? Are there any things that they should be on the lookout for? 

Robert Capps: I think that any business that has employees is potentially a target for cybercriminals to get information about those consumers - their employees - that they could file taxes on behalf of. That information disclosure risk is there, and so people on the HR team, the accounts payable team, whoever's preparing the tax documents themselves needs to be diligent that the replacement W-2s or 1099s - that those are being sent to the legitimate person, not to someone who shouldn't have access to them. 

Robert Capps: On the other side of the coin, corporate tax fraud is an issue, and getting information from an employee through social engineering or getting malware onto their computers in the office can create all kinds of havoc not just at tax time, but also attacking bank balances. And you see unrequested international wire transfers out of corporate accounts to third-party accounts in another country that can't be recovered. Those things are all problems when we talk about the corporate side of the, you know, the fraud, when companies are defrauded by these same individuals. 

Robert Capps: At the end of the day, all schemes come back to some level of value being taken out of the system by a fraudster. And taxes are one cover for it, but they're all the basic - the same basic confidence scams - you know, convincing someone in an accounts payable role or a controller role or something like that to either provide credentials, to allow transactions or to trick them into performing transactions on behalf of the fraudster. 

Dave Bittner: You know, we often talk about third-party risk, and it strikes me that as an individual taxpayer, but certainly as a business, it's probably likely that I have engaged with someone to help me with my taxes. 

Robert Capps: Yeah. 

Dave Bittner: Certainly here in the U.S., I think it's fair to say that they're complicated enough that you need a level of expertise that your average person does not have. Are there things that we should be checking with our providers on? Are there questions we should be asking them to make sure that they're doing their due diligence? 

Robert Capps: If you're dealing with an agency, a physical organization that is processing your taxes - you drop off the packet, they hand you your taxes, and then you sign, and they get mailed in or even electronically delivered on your behalf - those organizations really need to be taking security into account. Where taxes, you know, more than a decade ago were all on paper, tax return fraud result - you know, was the result of breaking into someone's office and stealing boxes of paperwork. Now that's all digital. And so whoever's preparing your taxes or assisting with your taxes really needs to take computer network security into account, and that isn't always the case, right? Some folks are not as computer-literate as we might want them or expect them to be, given their position. 

Robert Capps: And so, you know, having a conversation with your tax preparer about their cybersecurity practices, understanding, you know, whether they're engaging a corporate service or a commercial service to help them do that or they just happen to be hiring their nephew to come in and run antivirus on their machines... 

Dave Bittner: Right (laughter). 

Robert Capps: ...Very different risks involved with those two positions. 

Robert Capps: And just understanding who you're dealing with and what their technical capacity is for protecting your information. Organizations that have a focus around this will probably have a security policy. They'll probably have some other policies they provide you when you sign up for their services. 

Robert Capps: And if you don't get any assurances that they're providing, you know, secure storage and processing of your information, ask before you provide. What do you do with this data? How do you store it? What do you do when you're done with my taxes? Really key questions to ask of any provider. 

Dave Bittner: What about the IRS themselves? Has there been an evolution on their part in terms of recognizing that this is shifting online and so the velocity of potential losses has increased? 

Robert Capps: Yeah, I think they do. And the fact that they now have people that are dedicated to investigating and resolving these issues shows a recognition that there's a problem. Each tax year, we see them become more and more sophisticated with how they verify a consumer's identity during a digital submission of taxes. It's still not perfect, but I'm a big fan of good as (laughter) - as an alternative to waiting till everything's perfect. 

Dave Bittner: Right. 

Robert Capps: And the situation - it's getting to be good enough for most uses and for protecting most consumers. The issue isn't actually at the IRS. The issue is that, you know, the internet is awash in consumer data, and a lot of the data points that are used to authenticate a consumer online have already been stolen or are available in commercial data services if you have a credit card. 

Dave Bittner: Right. 

Robert Capps: So with that being the case, moving towards more of a deterministic consumer human identity online will help this problem immensely, but there's a lot of work yet to be done to get to that point. And so we're seeing organizations like the IRS using commercial identity verification tools. We're seeing them adopt things like preregistered PINs and registering for online accounts that, once they're initiated, no one else can access unless they take them over, which is a much harder process. There's just a lot of things they're now taking into account when it comes to securing these tax returns and the funds coming from them that they... 

Dave Bittner: Yeah. 

Robert Capps: ...Weren't doing before. So, yeah, they're taking it - they're absolutely taking it seriously (laughter). That's for sure. 

Dave Bittner: Yeah, do you - I mean, do you have any insights? You know, for example, you know, you are there at NuData. You're a Mastercard company. 

Robert Capps: Yep. 

Dave Bittner: And certainly, the credit card industry have led the way when it comes to the automated detection of fraud. 

Robert Capps: Right. 

Dave Bittner: Is that technology that we assume the IRS is implementing as well? 

Robert Capps: I don't have a positive (laughter)... 

Dave Bittner: Yeah. 

Robert Capps: ...Knowledge of what they've deployed because, rightfully so, they don't want to talk about those things. 

Dave Bittner: Right, right, right. We could all hope. 


Robert Capps: You know, what I can see from outside, from, you know, a concerned taxpayer who's focused in on this space... 

Dave Bittner: Yeah. 

Robert Capps: ...Is that they appear to be looking for telltale signs of fraud. They've got a large corpus of data that they can analyze to understand what are patterns of malicious activity or potentially malicious activity, and detecting future iterations of those patterns isn't out of the realm of their technical capabilities. So my assumption is they are doing those things 'cause it sounds like they're catching more and more of this stuff as it's filed versus waiting for the consumer to catch it when they go to file their own taxes. 

Dave Bittner: Right. 

Robert Capps: So I assume they're doing things that they should be doing here to make this stuff work. 

Dave Bittner: I mean, it's in their best interest as well, right? 

Robert Capps: It is. 

Dave Bittner: I mean, they want us to all - they want it to go as smoothly as possible. 

Robert Capps: Yeah, but I think that the thing that we need to keep in mind is that when we we're dealing with financial fraud - because this is really what this is; it's diversion of taxpayer resources to a fraudster - once that money's gone, it's gone. Those are tax dollars we've all put into the system through our payroll taxes and income taxes - you know, all the things that we pay in our daily lives to help support the U.S. government. Those dollars going to a fraudster mean they don't go to the right consumer who they belong to, and they still have to be made up to that consumer. 

Robert Capps: So it's an aggregate loss to the country as a whole and all taxpayers. And that's the thing that I think most of us need to keep in mind. This is not a faceless crime of just money being stolen from the government. These are our dollars that are being stolen. And so, you know, we all have a vested interest in making sure that the system is as effective and protected as we can be because there are better things we could be spending that money on. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Dave, last year they pushed out the tax due date. Wasn't that great? - pushed out till July. 

Dave Bittner: (Laughter). 

Joe Carrigan: It gave me a lot of time to come up with my tax bill... 

Dave Bittner: OK. 

Joe Carrigan: ...Which was great. 

Dave Bittner: OK. 

Joe Carrigan: But the downside is it gave scammers an increased opportunity, a larger time window to run these fraudulent tax returns. 

Dave Bittner: Yeah. 

Joe Carrigan: More people need help, and fewer people are helping at the IRS because of the pandemic. So it's just going to take longer to get things. Robert says be patient. I guess we have to be patient. One thing you can do is get yourself an identity protection PIN with the IRS. If you're going to file electronically or you're going to get a return, get that IP PIN. If you're listening in the car, wait till where you're going. Go get an IP PIN. 

Dave Bittner: Right. 

Joe Carrigan: It's very important. 

Dave Bittner: Right. 

Joe Carrigan: Stops a lot of this stuff in its tracks. 

Dave Bittner: Yeah. 

Joe Carrigan: Robert said it's not too difficult to order transcripts of someone's previous returns. It's harder, but when the government is dealing with people... 

Dave Bittner: Yeah. 

Joe Carrigan: ...They have to provide services to everybody, right? And they have to make it as simple as possible to do that. 

Dave Bittner: Right. 

Joe Carrigan: So because you have varying degrees of capability among the population and everybody's entitled to these services - right? - like, hey, I need the records of my taxes from the past five years. And the IRS has to say, OK, well, as soon as we verify who you are, we can give those to you. 

Dave Bittner: Right. 

Joe Carrigan: And that verification process has to be doable by everybody. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. They can't just serve folks who have Ph.D.s. 

Joe Carrigan: Right. Exactly. 

Dave Bittner: Right, right. 

Joe Carrigan: So it leaves open a vulnerability, if you will, that's necessary by design, you know? So, I mean, I understand this is a tough problem. 

Dave Bittner: Yeah. You have to balance the security with accessibility. 

Joe Carrigan: Absolutely. That is one of the constant tug of wars or tugs of war - is it - no, it's tug of wars - going on in the security world. Tax fraud is one of the big reasons that bad guys go after employee data. I've heard stories of HR people being targeted by scammers pretending to be the CEO of the company just going, I need all the personal information of all of our employees right now. I'm working on closing some kind of business finance to extend because we're running out of money. And the person sends it, and the data - it's a data breach. Now... 

Dave Bittner: Right. 

Joe Carrigan: These bad guys have enough information to file fraudulent tax returns from one email, one phishing email. 

Joe Carrigan: Two points that Robert made in passing that I want to amplify - first off, he said an interesting statement, that people used to have to break into buildings to steal tax records, but now they can do it over the internet. And that brought this to my attention. This is not a new crime. And it's one of the things that our forensics professor, Dr. Leschke, says. He says that the internet doesn't really create new crimes, just provides a new way to commit old crimes, right? So that's really what we're looking at here. These fraudulent tax returns aren't new. They're just more prevalent now. 

Dave Bittner: Yeah. 

Joe Carrigan: And now they're a bigger drain on the Treasury. So I thought that was kind of a subtle point that Robert made that should be amplified. We're not dealing with new crimes. 

Joe Carrigan: And the other point he made is you don't need to get perfect. You just need to get better. This is like never let the perfect be the enemy of the good. 

Dave Bittner: Right, right. 

Joe Carrigan: Right? If you can do something to improve your security, do it. You know, as practitioners, we tend to say, well, that still makes you vulnerable, like adding SMS two-factor authentication. If you don't have that turned on and it's the best that your - the provider offers, use it... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Even though it's not perfect. 

Dave Bittner: Yeah. It's like adding a deadbolt to your front door lock. 

Joe Carrigan: Right. Exactly. 

Dave Bittner: You know, it's - and yeah. Just maybe your neighbor doesn't have one, and that makes you less likely to be targeted. 

Joe Carrigan: Exactly. 

Dave Bittner: Yeah. 

Joe Carrigan: Robert makes a great point. They're not stealing money from the government; they're stealing money from us. This is not - this means that it's money that will not get spent on services, and it only increases the national debt. It could be used elsewhere - right? - for better purposes than padding the pockets of some scammer. 

Joe Carrigan: Remember; when it comes to the IRS, the IRS will never call you. They will never threaten to have you arrested. They'll never demand that you make payment via any method other than writing a check payable to the United States Treasury. They do not demand Green Dot cards, credit card payments. There are no gift cards, no cash in an envelope and no cryptocurrency. 

Dave Bittner: Right. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: I mean, you can pay your tax returns by credit card, but you actually have to use a third-party service to do that. But they will never demand that you do it that way. The IRS will send you a letter. And if you ignore those, they will send you a Treasury agent with a badge. 

Dave Bittner: Right, right, right. Hopefully it doesn't come to that. 

Joe Carrigan: Yes. Pay attention to the letters from the IRS. 

Dave Bittner: Yeah, absolutely. All right. Well, our thanks to Robert Capps from NuData Security for joining us. We do appreciate him taking the time. 

Dave Bittner: We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.