Tax Fraud and Other Ripple Effects of Business Email Compromise

Share with your network!

Wombat_Security-Taxesl2016.jpgLast week, we shared some thoughts from Wombat CEO Joe Ferrara about the rise of business email compromise (BEC) attacks, including fraudulent requests for W-2 data. Today, we’d like to share the experiences of another Wombat executive, who last year found himself in the unenviable position that many could find themselves in this year: tax fraud victim.

At this point, many of us have felt the ramifications of a data breach in one way or another. But in many cases, when a breach happens, the emphasis is on the organization that suffered the breach rather than the people whose data was compromised. Often, the individuals are little more than a footnote to the story — a mention of a year or two of free credit monitoring, perhaps. And maybe the assumption that credit monitoring nips the situation in the bud and provides adequate protection against future shenanigans.

As you’ll see from our executive’s story, this isn’t always the case. He and his family were victims of two different breaches: one healthcare related and one that stole credit card data. He did take advantage of the free credit monitoring offered to him. But that didn’t stop someone from filing taxes in his name and forcing him to spend hours and hours (and hours) trying to fix it.

In his words…

In late March 2015, I received a letter from my state’s department of taxation stating that my 2014 filing had not included my credit for 2013’s overpayment (i.e., my refund for 2013 was too low). Enter problem #1: I had not yet filed my tax return for 2014.

The letter also stated that the credit would be applied to my current year’s refund and would be received in 10 days. Enter problem #2: I was traveling extensively for business at the time and didn’t see the letter until after the 10 days had passed.

Once I did see the letter, I immediately contacted my state’s tax department and told them I hadn’t yet submitted my 2014 tax return. I also pointed out to them that the details noted in the letter about my supposed 2014 tax return were significantly different from my prior years’ returns, including the following:

  • The number of exemptions was off by two
  • The salary noted was comparable to my salary from 20 years ago
  • The deductions listed were nowhere near my historical amounts

When I pointed out the major discrepancies and asked why the return wasn’t compared to prior years’ returns prior to processing, I found out disappointing news: most of those checks don’t happen. Why? I suppose there are several reasons that come to the top of everyone’s mind, but here’s a big one: W-2s are not even required to be submitted until a few months after federal and state refunds start to be issued. Which means there’s nothing to check against.

The state tax department gave me a federal number to call and report the fraudulent filing. After a long (loooooong) wait on hold, I was connected to a very helpful IRS agent who advised me about next steps to take in dealing with the fraud. I had to provide a lot of information over the phone to verify my identity. Thankfully, I had the details I needed related to past W-2 and other deductible details. The IRS agent told me that many people who were reporting tax fraud that year had the same medical insurance I had and used the same commercial tax preparation software I had used to file my taxes in prior years. Because there were some doubts about the security of that software, I was advised to file my actual 2014 return via paper.

In speaking with the IRS agent, I learned that, on the federal side, my 2014 return had been flagged as risky. I took some solace in that, but was quickly disappointed to learn that the IRS doesn’t always share this type of information with state tax agencies. Had that suspicion been shared, I could have been saved a lot of headaches.

But I just had to move ahead. I contacted my banks, credit card companies, insurance providers, and investment advisor to make sure they would be on notice for anything unusual and to implement a series of secondary checks for future approvals. I also notified one of the credit bureaus and asked they require additional proof for any new account applications. In addition, as advised, I filed a complaint with my local police department.

So after numerous calls and much time waiting on hold, I finally had everyone on notice and had my credit frozen. Unfortunately, my time on the phone was not at an end. I ended up getting a few more letters instructing me to call the IRS or my state tax departments to discuss updates. But I would not find out until after I called — and waited on hold — that nothing had changed. It was simply a case of the administrative logs being behind the actual point of progress. So the letters were being sent out after issues had already been resolved.

Did I mention that I had a lot of practice in exercising patience throughout this process?

Anyway, today, I have special numbers that I put on my tax returns. (I have also learned that if you have to call the IRS, it's best to call as early in the day as possible. File that tip away and hope you never need to use it!) Since the fraudulent filing, I have submitted returns that included both federal and state refunds. I had wondered how long it might take given the issues in the past, but all were processed within a reasonable amount of time.

Another item of interest in this process is related to the credit monitoring I was provided following the fraudulent filing. I was given an account with a commercial company that tracked my credit status; they created a special code and password so I was able to verify it was indeed them calling me. They contacted me and told me that they had received an alert that someone had tried to set up a retail credit card in my name. I confirmed that I had not made the attempt, at which point the credit monitoring service put me on a three-way call with the retail card company.

During the call, the retail company’s representative asked me for my Social Security number and date of birth. And, frankly, that set off a warning bell for me. As I had not placed the call myself, I could not be certain that I was really speaking with the retail company — and I said as much on the phone. I was surprised that the credit monitoring service would even find it appropriate that I be asked to provide those pieces of PII to a credit card company that I didn’t have (and didn’t want to have) an account with. I told them that, in my opinion, all they needed to know was that I hadn’t applied for the card and that the request should be denied. After that call, I contacted the credit card fraud department directly — and they had no record of the application attempt. While it wasn’t proof positive of a scam, I was certainly glad I hadn’t handed over those pieces of information.

I’ve thought a lot about what happened over the past year, and, as you might imagine, it’s been on my mind a lot lately. As a parent, I wonder how these types of breaches can impact our kids’ ability to protect their credit. I’ve now heard a number of stories about college students having fraudulent returns filed in their names and not finding out about it until after their parents’ returns are rejected.

And I can’t help but tie it to the work I do now for Wombat, which aims to prevent this from happening to other people. The ripple effects of a data breach are real; like my family, many others out there are facing hours of clean-up calls for problems they didn’t create. Cyber security awareness and training is about protecting people — employees, customers, and business partners — as much as it is about protecting organizations. Really, they are two sides of the same coin. Because when you have to devote so much personal time to correcting a problem that someone else caused for you, you can’t help but resent that someone else. It takes a lot to repair broken trust, and in the end, it could actually cost you your business.


Choose a security awareness training program that helps you manage end-user risk and improve your organization's overall security posture. We have been leading the way since 2008; put our expertise and service to work for you.