Executive Summary

Tax season began on January 23, 2023, and with it came the return of tax refund fraud.

Recently, the threat group “Infinity Hackers BY” claimed to have conducted a successful cyberattack against the IRS. Whether or not the attack actually occurred, the threat group’s claim highlights the threat posed by tax refund fraud, also known as stolen identity refund fraud (SIRF). Tax refund fraud occurs when criminals use stolen tax forms and personally identifiable information (PII) to submit fraudulent tax returns with the goal of stealing their victims’ tax refunds.

Tax refund fraud incurs costs both for taxpayers and government agencies, particularly the IRS, and has demonstrated year-on-year growth in popularity across the dark web. In recent decades, electronic filing has simplified tax refund fraud; in order to conduct it, threat actors require only stolen tax forms and PII, which are often available for purchase on dark web sources, along with a fraudulently registered bank account.

Key Findings

• Tax refund fraud has become an increasingly popular topic on dark web forums. For the past 3 years, dark web forum posts relating to tax refund fraud have shown year-on-year growth, and in 2022, we observed 78,032 references to the keyword “tax” on dark web marketplaces.
• To conduct tax refund fraud, threat actors must obtain fraudulent or stolen tax forms, victim PII, and a fraudulently registered bank account before they submit a fraudulent tax return. Criminal tutorials, guides, references, and paid services simplify each of these tasks, ultimately facilitating tax refund fraud for inexperienced threat actors.
• The availability of stolen tax forms and PII necessary to conduct tax refund fraud drive its popularity and increase the risk it poses. Both stolen tax forms and associated PII are widely available via breached databases and dark web marketplaces.

Background

On January 12, 2023, the US Internal Revenue Service (IRS) announced that the 2023 tax season would begin on January 23, 2023. Tax season is now in full swing, and more than 168 million individual tax returns for the 2022 tax year are expected to be filed, accepted, and processed before the filing deadline of April 18, 2023.

The return of tax filing season throws tax refund fraud — also known as stolen identity refund fraud (SIRF) — into stark relief. By acquiring tax forms and sensitive personally identifiable information (PII) through data breaches, criminal services, and dark web resellers, criminals can file fraudulent tax returns under a victim’s name in order to steal their tax refund. Electronic filing means that fraudulent returns can be swiftly submitted and processed, and stolen refunds can easily be deposited into fraudulently registered bank accounts, sent to prepaid payment cards, or even used to fund criminals’ crypto accounts.

According to the US Department of Justice, tax refund fraud “threaten[s] to disrupt the orderly administration of the income tax system for hundreds of thousands of law-abiding taxpayers and [has] cost the United States Treasury billions of dollars”. SIRF can result in delayed refunds for taxpayers and additional operating costs for the IRS. Once the fraud is discovered, victims must go through a daunting administrative process to prove their identities and rectify their situations.

The IRS recognizes the threat posed by SIRF, and has implemented advanced verification measures, encouraged taxpayers to safeguard their personal information and report suspicious activity, and even established a dedicated program to assist taxpayers affected by identity theft. The IRS also issues Identity Protection PINs (IP PINs) to confirmed victims of tax-related identity theft, which are used to verify the taxpayer’s identity upon filing their tax return.