{"id":24189,"date":"2024-03-20T05:10:21","date_gmt":"2024-03-20T13:10:21","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/03\/20\/news-17919\/"},"modified":"2024-03-20T05:10:21","modified_gmt":"2024-03-20T13:10:21","slug":"news-17919","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2024\/03\/20\/news-17919\/","title":{"rendered":"Tax scammer goes after small business owners and self-employed people"},"content":{"rendered":"\n<p>While most tax payers don\u2019t particularly look forward to tax season, for some scammers it\u2019s like the opening of their hunting season. So it&#8217;s no surprise that our researchers have found yet <a href=\"https:\/\/www.malwarebytes.com\/blog\/scams\/2024\/02\/tax-season-is-here-so-are-scammers\">another<\/a> tax-related scam. <\/p>\n<p>In this most recent scam, we&#8217;ve not seen the lure the scammer uses, but it is likely to be an email telling the target to quickly go to this site to apply for your IRS EIN\/Federal tax ID number.<\/p>\n<figure data-wp-context=\"{ &quot;core&quot;: \t\t\t\t{ &quot;image&quot;: \t\t\t\t\t{   &quot;imageLoaded&quot;: false, \t\t\t\t\t\t&quot;initialized&quot;: false, \t\t\t\t\t\t&quot;lightboxEnabled&quot;: false, \t\t\t\t\t\t&quot;hideAnimationEnabled&quot;: false, \t\t\t\t\t\t&quot;preloadInitialized&quot;: false, \t\t\t\t\t\t&quot;lightboxAnimation&quot;: &quot;zoom&quot;, \t\t\t\t\t\t&quot;imageUploadedSrc&quot;: &quot;https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/Screenshot-2024-03-14-at-1.32.34\u202fPM.png&quot;, \t\t\t\t\t\t&quot;imageCurrentSrc&quot;: &quot;&quot;, \t\t\t\t\t\t&quot;targetWidth&quot;: &quot;1236&quot;, \t\t\t\t\t\t&quot;targetHeight&quot;: &quot;958&quot;, \t\t\t\t\t\t&quot;scaleAttr&quot;: &quot;&quot;, \t\t\t\t\t\t&quot;dialogLabel&quot;: &quot;Enlarged image&quot; \t\t\t\t\t} \t\t\t\t} \t\t\t}\" data-wp-interactive class=\"wp-block-image aligncenter size-large is-resized wp-lightbox-container\"><img decoding=\"async\" loading=\"lazy\" width=\"1236\" height=\"958\" data-wp-effect=\"effects.core.image.setButtonStyles\" data-wp-init=\"effects.core.image.initOriginImage\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/Screenshot-2024-03-14-at-1.32.34\u202fPM.png?w=1024\" alt=\"fake site to apply for IRS EIN Federal Tax ID Number\" class=\"wp-image-106737\" style=\"width:700px\" \/><button class=\"lightbox-trigger\" type=\"button\" aria-label=\"Enlarge image: fake site to apply for IRS EIN Federal Tax ID Number\"> \t\t\t \t\t\t\t \t\t\t \t\t<\/button>        <\/p>\n<div data-wp-body=\"\" class=\"wp-lightbox-overlay zoom\" data-wp-effect=\"effects.core.image.initLightbox\">                 <button type=\"button\" aria-label=\"Close\" class=\"close-button\">                                      <\/button>                 <\/p>\n<div class=\"lightbox-image-container\">\n<figure class=\"wp-block-image aligncenter size-large is-resized responsive-image\"><img decoding=\"async\" src=\"\" alt=\"fake site to apply for IRS EIN Federal Tax ID Number\" class=\"wp-image-106737\" style=\"width:700px\" \/><\/figure>\n<\/p><\/div>\n<div class=\"lightbox-image-container\">\n<figure class=\"wp-block-image aligncenter size-large is-resized enlarged-image\"><img decoding=\"async\" src=\"\" alt=\"fake site to apply for IRS EIN Federal Tax ID Number\" class=\"wp-image-106737\" style=\"width:700px\" \/><\/figure>\n<\/p><\/div>\n<div class=\"scrim\" style=\"background-color: #fff\" aria-hidden=\"true\"><\/div>\n<\/p><\/div>\n<\/figure>\n<p>EIN is short for Employer Identification Number. The IRS uses this number to identify taxpayers who are required to file various business tax returns. EINs are used by employers, sole proprietors, corporations, partnerships, non-profit associations, trusts, estates of decendents, government agencies, certain individuals, and other business entities.<\/p>\n<p>Given the flow of the scam it&#8217;s very likely that the targets are self-employed and\/or small business (SMB) owners. It&#8217;s possible that the phisher has obtained or bought a collection of email addresses from a <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2024\/01\/mother-of-all-breaches-may-contain-new-breach-data\">data broker<\/a> that fit a certain profile (for example, self-employed US residents).<\/p>\n<p>To start this operation, the scammer doesn&#8217;t need a lot of information about their targets. A valid email address for a self-employed US resident could cost just a few cents on an underground forum on the <a href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2021\/09\/what-is-the-dark-web-the-dark-web-explained\">dark web<\/a>. However, the scammer might not even need to venture that far, as Senior Director of Technology and Engineering and Consumer Privacy at Malwarebytes, Shahak Shalev told us:<\/p>\n<blockquote class=\"wp-block-quote\">\n<p>&#8220;I don&#8217;t think one would have to go to the dark web to get information like this as there are regular companies selling this information. They would probably qualify it as &#8220;lead generation&#8221;. According to our sources, pricing for one million self-employed US citizens usually goes for $1USD per contact, but for such a large amount it would probably be $0.1 per contact.&#8221;<\/p>\n<\/blockquote>\n<p>The information the phishers are after is quite extensive and includes a person&#8217;s social security number (SSN).<\/p>\n<figure data-wp-context=\"{ &quot;core&quot;: \t\t\t\t{ &quot;image&quot;: \t\t\t\t\t{   &quot;imageLoaded&quot;: false, \t\t\t\t\t\t&quot;initialized&quot;: false, \t\t\t\t\t\t&quot;lightboxEnabled&quot;: false, \t\t\t\t\t\t&quot;hideAnimationEnabled&quot;: false, \t\t\t\t\t\t&quot;preloadInitialized&quot;: false, \t\t\t\t\t\t&quot;lightboxAnimation&quot;: &quot;zoom&quot;, \t\t\t\t\t\t&quot;imageUploadedSrc&quot;: &quot;https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/Screenshot-2024-03-14-at-1.33.56\u202fPM.png&quot;, \t\t\t\t\t\t&quot;imageCurrentSrc&quot;: &quot;&quot;, \t\t\t\t\t\t&quot;targetWidth&quot;: &quot;1239&quot;, \t\t\t\t\t\t&quot;targetHeight&quot;: &quot;959&quot;, \t\t\t\t\t\t&quot;scaleAttr&quot;: &quot;&quot;, \t\t\t\t\t\t&quot;dialogLabel&quot;: &quot;Enlarged image&quot; \t\t\t\t\t} \t\t\t\t} \t\t\t}\" data-wp-interactive class=\"wp-block-image aligncenter size-large is-resized wp-lightbox-container\"><img decoding=\"async\" loading=\"lazy\" width=\"1239\" height=\"959\" data-wp-effect=\"effects.core.image.setButtonStyles\" data-wp-init=\"effects.core.image.initOriginImage\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/Screenshot-2024-03-14-at-1.33.56\u202fPM.png?w=1024\" alt=\"Step 1 form to fill out LLC and personal information\" class=\"wp-image-106738\" style=\"width:700px\" \/><button class=\"lightbox-trigger\" type=\"button\" aria-label=\"Enlarge image: Step 1 form to fill out LLC and personal information\"> \t\t\t \t\t\t\t \t\t\t \t\t<\/button>        <\/p>\n<div data-wp-body=\"\" class=\"wp-lightbox-overlay zoom\" data-wp-effect=\"effects.core.image.initLightbox\">                 <button type=\"button\" aria-label=\"Close\" class=\"close-button\">                                      <\/button>                 <\/p>\n<div class=\"lightbox-image-container\">\n<figure class=\"wp-block-image aligncenter size-large is-resized responsive-image\"><img decoding=\"async\" src=\"\" alt=\"Step 1 form to fill out LLC and personal information\" class=\"wp-image-106738\" style=\"width:700px\" \/><\/figure>\n<\/p><\/div>\n<div class=\"lightbox-image-container\">\n<figure class=\"wp-block-image aligncenter size-large is-resized enlarged-image\"><img decoding=\"async\" src=\"\" alt=\"Step 1 form to fill out LLC and personal information\" class=\"wp-image-106738\" style=\"width:700px\" \/><\/figure>\n<\/p><\/div>\n<div class=\"scrim\" style=\"background-color: #fff\" aria-hidden=\"true\"><\/div>\n<\/p><\/div>\n<\/figure>\n<p>A compromised social security number poses a major problem. A SSN stays with you for a lifetime, and is closely tied to your banking and credit history. Adding a person&#8217;s SSN to the scammers&#8217; data could create far more opportunities for identity theft and fraud.<\/p>\n<p>And if that wasn&#8217;t serious enough, the scammers here have the audacity to charge you for the tax ID number, even though applying for an Employer Identification Number (EIN) is a free service offered by the Internal Revenue Service (IRS).<\/p>\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" width=\"1236\" height=\"961\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/Screenshot-2024-03-14-at-1.35.33\u202fPM.png?w=1024\" alt=\"Payment options and pricing on the fake site\" class=\"wp-image-106739\" style=\"width:700px\" \/><\/figure>\n<p>We also found the scammer made a mistake when setting up their fake website. By looking at the privacy policy of the scammer\u2019s site it became apparent that they forgot a small edit when they copied the privacy policy from someone else, but neglected to edit the original domain in one place.<\/p>\n<figure class=\"wp-block-image aligncenter size-large is-resized\"><img decoding=\"async\" loading=\"lazy\" width=\"1158\" height=\"438\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/old_domain.png?w=1024\" alt=\"privacy notice and cookie policy site shows the original domain\" class=\"wp-image-106741\" style=\"width:700px\" \/><\/figure>\n<p>If you&#8217;ve received a mail or other invitation including a link to the domain irs-ein-gov.us, please let us know in the comments. We would love to have a copy so we can complete this attack profile.<\/p>\n<h3 class=\"wp-block-heading\" id=\"h-how-to-avoid-falling-for-a-tax-scam\">How to avoid falling for a tax scam<\/h3>\n<p>Before acting on an email&#8217;s request, stop and think about the following:<\/p>\n<ul>\n<li>Remember: The IRS doesn&#8217;t ask taxpayers for personal or financial information over email, text messages, or social media channels. This includes requests for PINs, passwords or similar access information for credit cards, banks, or other financial accounts.<\/li>\n<li>Do <strong>not<\/strong> interact with the sender, click any links, or open any attachments.<\/li>\n<li>Send the full email headers or forward the email as-is to phishing@irs.gov. Do not forward screenshots or scanned images of emails because this removes valuable information.<\/li>\n<li>Delete the email.<\/li>\n<\/ul>\n<p>If you are unsure if a certain communication is from the IRS, you can go to <a href=\"http:\/\/IRS.gov\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">IRS.gov<\/a> and search for the letter, notice, or form number. If it is legitimate, you&#8217;ll find instructions on how to respond. If there&#8217;s a form to fill in the verify that it is identical to the same form on IRS.gov by searching\u00a0<a href=\"https:\/\/www.irs.gov\/forms-instructions-and-publications\">forms and instructions<\/a>.<\/p>\n<p>Malwarebytes Premium customers are protected against this particular scam if they have Web Protection enabled.<\/p>\n<figure class=\"wp-block-image aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"540\" height=\"333\" src=\"https:\/\/www.malwarebytes.com\/wp-content\/uploads\/sites\/2\/2024\/03\/irs-ein-govusblock.png\" alt=\"Malwarebytes blocks the site of the tax scammer\" class=\"wp-image-106744\" \/><\/figure>\n<h3 class=\"wp-block-heading\" id=\"h-iocs\">IOCs<\/h3>\n<p><strong>Domains<\/strong><\/p>\n<p>ustaxnumber.org<\/p>\n<p>ustaxnumber.com<\/p>\n<p>irs-ein-gov.us<\/p>\n<h3 class=\"wp-block-heading\" id=\"h-check-your-digital-footprint\">Check your digital footprint<\/h3>\n<p>If you want to find out how much of your data has been exposed online, you can try our free Digital Footprint scan. Fill in the email address you\u2019re curious about (it\u2019s best to submit the one you most frequently use) and we\u2019ll send you a free report.<\/p>\n<div class=\"wp-block-malware-bytes-button mb-button\" id=\"mb-button-7ba16f0b-04e8-4679-9512-2f21a0971dcf\">\n<div class=\"mb-button__row u-justify-content-center\">\n<div class=\"mb-button__item mb-button-item-0\">\n<p class=\"btn-main\"><a href=\"https:\/\/www.malwarebytes.com\/digital-footprint\">SCAN NOW<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-wide\" \/>\n<p><strong>We don&#8217;t just report on threats &#8211; we help safeguard your entire digital identit<\/strong>y<\/p>\n<p>Cybersecurity risks should never spread beyond a headline. Protect your\u2014and your family&#8217;s\u2014personal information by using\u00a0<a href=\"https:\/\/www.malwarebytes.com\/identity-theft-protection\" target=\"_blank\" rel=\"noreferrer noopener\">Malwarebytes Identity Theft Protection<\/a>.<\/p>\n<p><a href=\"https:\/\/www.malwarebytes.com\/blog\/uncategorized\/2024\/03\/tax-scammer-goes-after-small-business-owners-and-self-employed-people\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> We found a tax scammer that set up a fake website where targets could apply for an Employer Identification Number. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[31137,31138,31139,31140,666],"class_list":["post-24189","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-ein","tag-irs-ein-gov-us","tag-tax-id-number","tag-tax-scammer","tag-uncategorized"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24189","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=24189"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/24189\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=24189"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=24189"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=24189"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}