case study
Threat Actors Collect Fraudulent Tax Refunds After Theft From Accounting Firm
Industry
Financial Services
Background
Employees: 1 - 25
Coverages: Breach Response
Case Study
A small accounting firm discovered signs of a cyber event after the tax filings for nearly two dozen clients were flagged as fraudulent and blocked by the Internal Revenue Service. Months earlier, a threat actor had stolen and submitted the filings, rerouting the tax refunds to another account for financial gain. Unaware of any compromised accounts, the firm contacted Coalition to explore the matter.
After selecting to work with Coalition Incident Response1 (CIR), the firm’s tax filing software was investigated to determine if credentials had been compromised or if a threat actor had accessed the firm’s actual network. CIR discovered that illegitimate user accounts had been created within the firm’s software account and that an unauthorized computer was used to submit the fraudulent tax returns.
To avoid detection and bypass administrative permissions, the threat actor created a lookalike domain and email address to mimic the firm’s. The firm claimed the software provider should’ve flagged these actions, while the software provider claimed it sent an email alert—but there was no trace of any such communication.
Ultimately, CIR found evidence of business email compromise but was unable to connect it to the tax fraud due to the amount of time that lapsed between the event and its discovery. The firm was dismayed that the threat actor was able to operate so freely within the software platform without being noticed, but, fortunately, one key coverage came into play: Breach Response2 handled the cost of forensic investigation, as well as the notification costs and credit monitoring for clients whose data was compromised. After the accounting firm paid its $2,500 self-insured retention, its policy covered the remaining $31,000.
1. Coalition Incident Response services provided through Coalition’s affiliate are offered to policyholders as an option via our incident response firm panel.
2. The claim scenarios described here are intended to show the types of situations that may result in claims. These scenarios should not be compared to any other claim. Whether or to what extent a particular loss is covered depends on the facts and circumstances of the loss, the terms and conditions of the policy as issued and applicable law.