If you use the internet, you’ve likely been affected by cybercrime in some way. Even when an attack is aimed at a company, the fallout usually lands on ordinary people.
The most obvious harm is stolen data. When attackers break into a business, it is usually customer information that ends up in criminal hands, and that can lead to identity theft, tax fraud, credit card fraud, and a long tail of scam attempts that can continue for months or years. For consumers, the breach itself is often just the start of the cleanup.
That work is annoying, time-consuming, and sometimes expensive. People may have to freeze credit, replace cards, change passwords, be on the lookout for suspicious transactions, and dispute charges. The Federal Trade Commission (FTC) specifically advises consumers to use IdentityTheft.gov after a breach and recommends steps like credit freezes and fraud alerts to reduce the chance of further abuse.
When sensitive data is exposed, the harm is not only financial. Medical, insurance, and other deeply personal records can be used to create more convincing phishing or extortion attempts, and the stress of knowing that private information is circulating among criminals can linger long after the technical incident is over. In other words, breach victims are not just cleaning up a data problem, they are dealing with a loss of trust.
Breaches happen every day. Don’t be the last to know.
Cybercrime also hits consumers through service disruption. Ransomware and intrusion campaigns can interrupt payment systems, telecom services, shipping, energy distribution, booking platforms, and other infrastructure people rely on every day. In those cases, the consumer impact is immediate: you may not be able to pay, travel, call, buy, or even work normally. The CSIS timeline and Canada’s cyberthreat assessment both show that these disruptions are increasingly tied to high-value targets and can be part of broader state or criminal campaigns.
Not all these incidents are driven by cybercriminals. Recently, Britain’s cybersecurity chief warned that the UK is handling 4 nationally significant cyberincidents every week, with the majority now traced back to foreign governments rather than cybercriminal groups.
Another cost is easy to overlook: disinformation and confusion. When attackers steal data, disrupt services, or impersonate trusted brands, they can also flood the public with fake support messages, scam calls, refund schemes, and phishing emails pretending to be the breached company. The breach becomes a launchpad for more fraud, and consumers are left trying to separate legitimate notifications from those sent by attackers.
Then there is the security backlash. After a breach, companies usually tighten access rules, add more multi-factor authentication prompts, force reauthentication, shorten sessions, and increase fraud checks. Those measures are often necessary, but they also make ordinary digital life more cumbersome. The consumer ends up paying with time and frustration for security problems they did not create.
That is why company-targeted cybercrime is not really only a business problem. It is a consumer issue, a public-trust issue, and sometimes even a national security issue. A single breach can leak data, trigger fraud, interrupt essential services, amplify scams, and make using the internet more frustrating for everyone else. The real cost is rarely confined to the company that got hit.
Knowing this, it’s worth thinking carefully about which companies to trust with your data and how much you’re willing to share . You cannot stop every attack against every company you deal with, but you can limit the fallout by being more selective. Some considerations:
Do they need all the information they are asking for?
Would it hurt anything if you leave some fields blank or give less specific answers?
Has this company been breached in the past, and how did they handle it?
How long will they store the data you provide?
Can you easily have your data removed at your request?
Your name, address, and phone number are probably already for sale.
Data brokers collect and sell your personal details to anyone willing to pay. Malwarebytes Personal Data Remover finds them and gets your information removed, then keeps watch so it stays that way.
If you use the internet, you’ve likely been affected by cybercrime in some way. Even when an attack is aimed at a company, the fallout usually lands on ordinary people.
The most obvious harm is stolen data. When attackers break into a business, it is usually customer information that ends up in criminal hands, and that can lead to identity theft, tax fraud, credit card fraud, and a long tail of scam attempts that can continue for months or years. For consumers, the breach itself is often just the start of the cleanup.
That work is annoying, time-consuming, and sometimes expensive. People may have to freeze credit, replace cards, change passwords, be on the lookout for suspicious transactions, and dispute charges. The Federal Trade Commission (FTC) specifically advises consumers to use IdentityTheft.gov after a breach and recommends steps like credit freezes and fraud alerts to reduce the chance of further abuse.
When sensitive data is exposed, the harm is not only financial. Medical, insurance, and other deeply personal records can be used to create more convincing phishing or extortion attempts, and the stress of knowing that private information is circulating among criminals can linger long after the technical incident is over. In other words, breach victims are not just cleaning up a data problem, they are dealing with a loss of trust.
Breaches happen every day. Don’t be the last to know.
Cybercrime also hits consumers through service disruption. Ransomware and intrusion campaigns can interrupt payment systems, telecom services, shipping, energy distribution, booking platforms, and other infrastructure people rely on every day. In those cases, the consumer impact is immediate: you may not be able to pay, travel, call, buy, or even work normally. The CSIS timeline and Canada’s cyberthreat assessment both show that these disruptions are increasingly tied to high-value targets and can be part of broader state or criminal campaigns.
Not all these incidents are driven by cybercriminals. Recently, Britain’s cybersecurity chief warned that the UK is handling 4 nationally significant cyberincidents every week, with the majority now traced back to foreign governments rather than cybercriminal groups.
Another cost is easy to overlook: disinformation and confusion. When attackers steal data, disrupt services, or impersonate trusted brands, they can also flood the public with fake support messages, scam calls, refund schemes, and phishing emails pretending to be the breached company. The breach becomes a launchpad for more fraud, and consumers are left trying to separate legitimate notifications from those sent by attackers.
Then there is the security backlash. After a breach, companies usually tighten access rules, add more multi-factor authentication prompts, force reauthentication, shorten sessions, and increase fraud checks. Those measures are often necessary, but they also make ordinary digital life more cumbersome. The consumer ends up paying with time and frustration for security problems they did not create.
That is why company-targeted cybercrime is not really only a business problem. It is a consumer issue, a public-trust issue, and sometimes even a national security issue. A single breach can leak data, trigger fraud, interrupt essential services, amplify scams, and make using the internet more frustrating for everyone else. The real cost is rarely confined to the company that got hit.
Knowing this, it’s worth thinking carefully about which companies to trust with your data and how much you’re willing to share . You cannot stop every attack against every company you deal with, but you can limit the fallout by being more selective. Some considerations:
Do they need all the information they are asking for?
Would it hurt anything if you leave some fields blank or give less specific answers?
Has this company been breached in the past, and how did they handle it?
How long will they store the data you provide?
Can you easily have your data removed at your request?
Your name, address, and phone number are probably already for sale.
Data brokers collect and sell your personal details to anyone willing to pay. Malwarebytes Personal Data Remover finds them and gets your information removed, then keeps watch so it stays that way.
A dreadful thing happens far too often whenever an older adult falls for a scam: They get blamed for it. Not the scammers who lied and cheated their victim out of money. Not law enforcement for failing to recover funds. Not even the Big Tech companies that could have the most important role in protecting people online—and which, it turns out, knowingly bring in revenue every year from fraud.
Instead, it is the older adults themselves whose stories are often shirked aside because of a mix of ageism and denial. Allegedly left behind by technology, only an octogenarian would hand their password over in a phishing scheme, or open an email attachment from a stranger, or send money to a fake charity online. Everyone else, everyone else believes, is too savvy for the same.
The data disagrees.
When Malwarebytes studied this last year, it found that, depending on the type of scam—especially for things like “sextortion”—younger individuals were far more likely to report falling victim. Further, digging into data from the US Federal Trade Commission revealed entirely separate patterns. For example, while Americans between the ages of 80 and 89 reported the highest median loss due to fraud in 2024, they also made up the smallest share of their population to report a loss at all. And in 2025, that same group represented the smallest share of reported identity theft, a crime far more likely to be reported by people between 30 and 39.
Questions about who reports what crimes at what rate are valid to explore, but it’s important to see the big picture: Americans lost at least $15.9 billion to fraud last year. Protecting older adults is actually about protecting everyone, and that’s because modern scams don’t arrive only where people over 70 spend time. They arrive where we all are, which is online. They come through endless text messages, they slide into social media DMs, and they prey on things any of us can be—a widow, a divorcee, or simply a lonely person.
According to Marti DeLiema, Assistant Professor at the University of Minnesota’s School of Social Work, scams and fraud are now the most common form of organized crime globally, rivaling weapons trafficking, drug trafficking, human trafficking, and sex trafficking. In 2024 alone, she said, the FTC estimated that older adults in the US had as much as $81.5 billion stolen from them. And the tools meant to fight back—broad consumer awareness campaigns, embedded warning messages at the point of transaction, the training of bank tellers and retail clerks—are nowhere near keeping pace.
So what actually works? And who, if anyone, is doing the work?
Today, on the Lock and Code podcast with host David Ruiz, we speak with DeLiema about who is really susceptible to financial fraud, why victims often describe a scam as a form of betrayal trauma, and why the companies best positioned to stop scam messages from reaching consumers may be the ones least motivated to do so.
“This is not a technical capability problem at all. This is a conflict of incentives.”
A dreadful thing happens far too often whenever an older adult falls for a scam: They get blamed for it. Not the scammers who lied and cheated their victim out of money. Not law enforcement for failing to recover funds. Not even the Big Tech companies that could have the most important role in protecting people online—and which, it turns out, knowingly bring in revenue every year from fraud.
Instead, it is the older adults themselves whose stories are often shirked aside because of a mix of ageism and denial. Allegedly left behind by technology, only an octogenarian would hand their password over in a phishing scheme, or open an email attachment from a stranger, or send money to a fake charity online. Everyone else, everyone else believes, is too savvy for the same.
The data disagrees.
When Malwarebytes studied this last year, it found that, depending on the type of scam—especially for things like “sextortion”—younger individuals were far more likely to report falling victim. Further, digging into data from the US Federal Trade Commission revealed entirely separate patterns. For example, while Americans between the ages of 80 and 89 reported the highest median loss due to fraud in 2024, they also made up the smallest share of their population to report a loss at all. And in 2025, that same group represented the smallest share of reported identity theft, a crime far more likely to be reported by people between 30 and 39.
Questions about who reports what crimes at what rate are valid to explore, but it’s important to see the big picture: Americans lost at least $15.9 billion to fraud last year. Protecting older adults is actually about protecting everyone, and that’s because modern scams don’t arrive only where people over 70 spend time. They arrive where we all are, which is online. They come through endless text messages, they slide into social media DMs, and they prey on things any of us can be—a widow, a divorcee, or simply a lonely person.
According to Marti DeLiema, Assistant Professor at the University of Minnesota’s School of Social Work, scams and fraud are now the most common form of organized crime globally, rivaling weapons trafficking, drug trafficking, human trafficking, and sex trafficking. In 2024 alone, she said, the FTC estimated that older adults in the US had as much as $81.5 billion stolen from them. And the tools meant to fight back—broad consumer awareness campaigns, embedded warning messages at the point of transaction, the training of bank tellers and retail clerks—are nowhere near keeping pace.
So what actually works? And who, if anyone, is doing the work?
Today, on the Lock and Code podcast with host David Ruiz, we speak with DeLiema about who is really susceptible to financial fraud, why victims often describe a scam as a form of betrayal trauma, and why the companies best positioned to stop scam messages from reaching consumers may be the ones least motivated to do so.
“This is not a technical capability problem at all. This is a conflict of incentives.”
The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks
In this post, we examine how phishing-as-a-service (PhaaS) has evolved into a structured cybercrime ecosystem, how threat actors collaborate across infrastructure, delivery, and monetization layers, and why this model continues to drive large-scale financial fraud targeting global organizations.
Phishing is no longer a standalone tactic. It has matured into a service-based ecosystem where specialized actors provide each component of an attack lifecycle, from infrastructure and delivery to credential harvesting and cash-out.
Flashpoint analysts, working with partner financial institutions, have observed a growing number of PhaaS operations operating with a level of coordination and specialization more commonly associated with legitimate software platforms. These ecosystems bring together phishing kit developers, infrastructure providers, spam delivery services, and financially motivated actors into a single, scalable pipeline for fraud.
This shift has significantly lowered the barrier to entry for cybercriminals while increasing the scale, efficiency, and success rate of phishing campaigns.
From Phishing Kits to a Service-Based Fraud Economy
PhaaS emerged from early phishing kits into a full cybercrime-as-a-service model built on commercialization, modular tooling, and operational scalability.
Early phishing activity relied on standalone kits — basic login pages and scripts that allowed attackers to collect credentials. Over time, operators began centralizing these capabilities into subscription-based platforms offering hosting, domain management, campaign tooling, and ongoing support.
Modern PhaaS platforms now operate similarly to legitimate SaaS providers:
Subscription-based pricing models
Prebuilt templates for major brands and services
Integrated delivery mechanisms (email, SMS, QR phishing)
Real-time dashboards for campaign tracking and credential harvesting
This model has made sophisticated phishing accessible to low-skill actors. Kits can cost as little as US$10, while full platforms enable large-scale campaigns for relatively modest monthly fees.
MFA Bypass and AI Are Reshaping Phishing Capabilities
As organizations adopted multifactor authentication (MFA), PhaaS operators adapted.
Modern platforms increasingly rely on adversary-in-the-middle (AiTM) techniques, using reverse proxy infrastructure to intercept login sessions in real time. This allows attackers to capture not only credentials, but also MFA tokens and session cookies, effectively bypassing traditional authentication controls.
At the same time, AI is accelerating the scale and effectiveness of phishing campaigns.
Threat actors are using AI to:
Generate convincing, localized phishing lures
Clone brand interfaces with high fidelity
Optimize campaigns through automated testing and iteration
This combination of MFA bypass and AI-driven automation has transformed phishing from a volume-based tactic into a precision-driven access vector.
The PhaaS Pipeline: How the Ecosystem Operates
What distinguishes modern phishing operations is not just tooling, but coordination.
A typical PhaaS campaign follows a structured lifecycle:
This pipeline is supported by a network of specialized providers, each responsible for a different stage of the attack lifecycle.
Infrastructure, Delivery, and Exfiltration Are Increasingly Specialized
Flashpoint analysis highlights how different actors focus on distinct parts of the ecosystem.
Infrastructure and Kit Development
Phishing kit developers provide increasingly sophisticated tooling, including:
Reverse proxy (AiTM) capabilities for MFA bypass
Anti-bot protections to evade researchers
“Live panels” enabling real-time interaction with victims
Platforms such as GhostFrame, Rapid Pages, and MUH Pro Admin illustrate how these tools are being productized and distributed at scale.
SMS Delivery and Spoofing
Smishing has become a critical delivery vector.
Threat actors operate dedicated SMS gateway services capable of sending large volumes of messages via APIs or bulk uploads. Others actively seek advanced spoofing capabilities to bypass authentication controls such as SPF, DKIM, and DMARC, enabling phishing messages to appear legitimate at the protocol level.
Credential Exfiltration and Telegram Integration
Credential collection is increasingly automated and centralized.
Many campaigns exfiltrate stolen credentials directly to Telegram bots or channels, enabling real-time access to victim data. This infrastructure also allows for rapid scaling and coordination across actors participating in the same campaign or ecosystem.
From Credential Theft to Financial Monetization
The ultimate goal of PhaaS operations is monetization.
Stolen credentials are used to enable account takeover (ATO), which allows attackers to:
Access financial accounts
Lock out legitimate users
Initiate fraudulent transactions
Launch follow-on scams
Flashpoint analysis of actors such as “JUN JUN,” associated with the Squirtle group, illustrates how these operations extend into structured financial fraud and laundering.
Observed activity shows a progression from acquiring phishing logs (“fish material”) to targeting high-value accounts and ultimately laundering funds through complex mechanisms, including tax fraud and credit card repayment schemes designed to recycle illicit funds.
This highlights how phishing is only the entry point into a broader fraud pipeline.
A Distributed Ecosystem of Threat Actors
The PhaaS landscape is not controlled by a single group, but by a network of loosely connected actors and clusters.
Examples include:
Fluffy Spider: Focused on large-scale infrastructure deployment and domain generation
IVAN: A more exclusive, high-tier operation leveraging SEO poisoning and advanced evasion techniques
Smishing Triad: A highly coordinated group conducting global SMS phishing campaigns
System Bot: A modular phishing toolkit with credential harvesting and OTP bypass capabilities
These actors operate across different regions and languages but demonstrate comparable levels of technical capability and operational maturity.
Many of these groups function with enterprise-like structures, including support teams, affiliate models, and performance-based operations, further reinforcing the industrialization of phishing-driven fraud.
Law Enforcement Pressure Is Increasing, but the Model Persists
Recent takedowns, including operations targeting platforms such as Tycoon 2FA, demonstrate growing coordination between public and private sector defenders.
These efforts have:
Disrupted infrastructure
Increased operational costs for threat actors
Accelerated collaboration between intelligence providers and law enforcement
However, the underlying PhaaS model remains resilient.
Even as major platforms are dismantled, operators frequently rebrand, migrate infrastructure, or fragment into smaller services. The demand for scalable, low-cost phishing capabilities continues to sustain the ecosystem.
What This Means for Security Teams
Phishing-as-a-service has evolved from a tactic to an ecosystem that industrializes fraud.
Flashpoint assesses that the increasing coordination between phishing kit developers, infrastructure providers, and financial fraud actors will continue to drive large-scale credential harvesting and account takeover activity targeting global organizations.
For defenders, this means that effective mitigation requires more than user awareness and traditional controls. Organizations must account for:
MFA bypass techniques such as AiTM
Rapid infrastructure rotation and evasion
The integration of phishing into broader fraud and access broker pipelines
Protecting Your Organization from the PhaaS Ecosystem
Understanding how phishing ecosystems operate — from infrastructure and delivery to monetization — is critical for disrupting attacks before they result in fraud.
Flashpoint provides intelligence that helps organizations track phishing campaigns, identify emerging threat actors, and detect compromised credentials in real time. By correlating activity across the full attack lifecycle, security teams can better anticipate threats and respond before they escalate.
To learn how Flashpoint can support your team with actionable intelligence on phishing and fraud ecosystems, schedule a demo.
Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels
In this post, we examine how threat actors are executing tax refund fraud schemes, from sourcing identity data to bypassing verification and cashing out fraudulent returns, and what these patterns reveal about evolving fraud ecosystems.
Tax refund fraud remains a persistent and evolving threat within cybercrime and fraud communities. Threat actors actively advertise and refine schemes designed to file fraudulent returns and intercept refund payments from legitimate taxpayers.
Across illicit forums, Telegram channels, and marketplaces, discussions point to a structured ecosystem built around identity data, social engineering, verification bypass, and increasingly sophisticated cash-out methods.
For intelligence teams, these conversations provide insight into how fraud operations are scaling and where defenses are being tested and adapted.
The Structure of Modern Tax Refund Fraud Schemes
At a high level, most tax refund fraud schemes follow a consistent model: obtain identity data, file a fraudulent return, bypass verification, and extract funds.
Flashpoint analysis shows that threat actors focus on several key stages:
Sourcing victims or identity “fullz” (complete PII packages)
Obtaining or bypassing identity and return verification
Leveraging social engineering to support fraud workflows
Using tutorials and shared methods to maximize refund amounts
Converting refunds into cash or cryptocurrency
These stages are not isolated. They are supported by overlapping communities that specialize in identity theft, financial fraud, and account access.
Identity Data as the Foundation of Fraud
The success of tax refund fraud depends heavily on access to high-quality identity data.
Threat actors typically rely on “fullz,” which include a victim’s name, date of birth, address, and Social Security number. In some cases, fraudsters also recruit “clients” or “tax heads” — individuals who knowingly or unknowingly provide accurate tax documents and assist in bypassing verification steps.
This distinction is important. While fullz can be purchased or harvested at scale, clients often provide more reliable and current information, increasing the likelihood that a fraudulent return will be accepted.
A threat actor shares a screenshot of a text exchange with a client in which they obtain access to their TurboTax account and tax forms accessible through the account. (Source: Telegram, Flashpoint Collections).
Threat actors also seek additional data points to legitimize filings, including:
Identity Protection (IP) PINs
Adjusted Gross Income (AGI) from previous tax years
Access to tax preparation accounts or IRS records
These elements are frequently obtained through compromised accounts, social engineering, or access to verified identity platforms.
Verification Bypass as a Critical Enabler
Filing a fraudulent return is only part of the process. Successfully passing identity and return verification is often the deciding factor.
Threat actors place significant emphasis on accessing or creating verified accounts tied to identity systems used by government agencies. These accounts allow fraudsters to:
Retrieve tax transcripts and historical data
Respond to IRS verification requests
Validate identity during filing and follow-up processes
In many cases, fraudsters rely on social engineering to obtain this access. Common approaches include:
Creating fake job postings or tax preparation services to collect documents
Running romance or employment scams to gather personal information
Coercing victims into creating or sharing verified accounts
Threat actors also prepare for additional verification steps, such as responding to IRS letters or completing phone and in-person identity checks. These workflows often involve scripts, impersonation tactics, and coordination with cooperating “clients.”
Fraud Tactics Are Increasingly Systematic
Beyond basic filing, threat actors share detailed tutorials and playbooks designed to maximize refunds and improve success rates.
These often include:
Using real or falsified income data to inflate returns
Targeting specific tax credits, such as the Child Tax Credit (CTC), Earned Income Tax Credit (EITC), or Employer Retention Credit (ERC)
Claiming dependents or benefits that increase refund amounts
Adapting methods based on state-specific programs or eligibility requirements
A notable development is the use of fraudulent income submission schemes, where threat actors pre-populate tax records with inflated income and withholding data before filing a return.
This process typically involves:
Submitting false wage data to the IRS or Social Security Administration using employer identifiers
Waiting for the data to appear on official tax transcripts
Filing a return that matches the fabricated figures
By aligning submitted data with filed returns, fraudsters increase the likelihood that filings will appear legitimate during verification.
Social Engineering Extends Beyond Victims
Social engineering plays a central role throughout the fraud lifecycle—and not just at the initial data collection stage.
Threat actors also target:
IRS representatives, attempting to verify fraudulent returns over the phone
Clients, persuading them to attend verification appointments or share official correspondence
Government offices, including outreach to congressional staff to resolve refund holds
In some cases, fraudsters use AI-generated communications to scale these efforts, including drafting messages designed to appear legitimate and urgent.
These tactics highlight how fraud operations extend into real-world processes and human interactions, not just digital systems.
Cash-Out Methods Continue to Evolve
Once a fraudulent refund is secured, the focus shifts to converting funds into usable, untraceable assets.
Common cash-out methods include:
Direct deposits into accounts controlled by the fraudster
Accounts opened by “clients” on behalf of the operation
Digital banking platforms and payment apps
Prepaid cards and alternative financial instruments
Increasingly, threat actors are moving funds into cryptocurrency to reduce traceability. This often involves:
Using verified exchange accounts to pass KYC requirements
Converting refunds into Bitcoin or other assets
Transferring funds to wallets controlled by the fraudster
In some workflows, the entire process — from filing to conversion — can occur within a single mobile or digital ecosystem.
Fraud Communities Enable Scale and Adaptation
Tax refund fraud does not operate in isolation. It is embedded within broader fraud ecosystems where identity data, tools, and tutorials are continuously shared.
Telegram remains a central hub for this activity, with large channels distributing:
Screenshots of successful refunds
Tutorials and “sauce” (paid or free methods)
Listings for identity data and services
Dark web forums also host discussions, though typically with lower volume and higher signal.
The structure of these communities allows fraud techniques to spread quickly, adapt to changing controls, and persist across multiple platforms.
Flashpoint analysts assess that these schemes are becoming more structured, with clearly defined workflows for identity acquisition, verification bypass, and monetization.
For security and intelligence teams, this has several implications:
Identity data remains a critical point of exposure across multiple fraud types
Verification systems are actively targeted and tested by threat actors
Social engineering continues to bridge technical and human vulnerabilities
Fraud techniques are rapidly shared, refined, and scaled across communities
Understanding how these components connect is essential for identifying emerging fraud patterns and anticipating how threat actors will adapt.
Supporting Security Teams with Threat Intelligence During Tax Season and Beyond
Understanding how tax fraud schemes are executed from identity sourcing to verification bypass and cash-out provides critical context for detecting and disrupting fraudulent activity.
Flashpoint delivers leading intelligence that helps organizations monitor fraud communities, track evolving tactics, and identify emerging schemes before they scale. By combining primary source collection with contextual analysis, security teams can move from reactive detection to proactive defense.
To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.
Frequently Asked Questions About Tax Refund Fraud
What is tax refund fraud?
Tax refund fraud is a form of identity-based financial crime in which threat actors file fraudulent tax returns using stolen or manipulated personal information to obtain refund payments before the legitimate taxpayer files.
How do threat actors obtain the information needed to commit tax fraud?
Threat actors typically rely on stolen identity data, often referred to as “fullz,” which includes a victim’s name, date of birth, address, and Social Security number. This information is sourced from infostealer malware logs, phishing campaigns, data breaches, social engineering, and illicit marketplaces.
In some cases, fraudsters also recruit “clients” who provide real tax documents or assist in verification processes.
How do fraudsters bypass identity verification for tax returns?
Fraudsters use a combination of tactics to bypass identity and return verification, including:
Accessing or creating verified identity accounts used for tax authentication
Obtaining prior-year tax data such as adjusted gross income (AGI)
Using stolen or socially engineered identity protection (IP) PINs
Responding to IRS verification requests using scripts, impersonation, or cooperating individuals
These methods allow fraudulent returns to appear legitimate during processing.
What are common tax fraud tactics used by threat actors?
Common tactics include:
Filing returns using stolen personal information
Inflating income or tax withholding amounts to increase refunds
Claiming fraudulent dependents or tax credits
Submitting false wage data to government systems before filing
Using real tax forms combined with manipulated data
These approaches are often shared and refined within fraud communities.
What is a “fullz” in tax fraud?
A “fullz” refers to a complete set of personally identifiable information (PII) about an individual, typically including name, date of birth, address, and Social Security number. Fullz are used by fraudsters to file tax returns, open accounts, and conduct other identity-based financial crimes.
How do fraudsters cash out fraudulent tax refunds?
After a fraudulent return is accepted, threat actors typically attempt to convert the refund into usable funds through:
Direct deposits into controlled or intermediary accounts
Accounts opened by recruited participants
Digital banking platforms or prepaid cards
Cryptocurrency conversion using verified exchange accounts
The goal is to move funds quickly and reduce traceability.
Why is tax refund fraud difficult to detect?
Tax refund fraud can be difficult to detect because it leverages legitimate systems and processes, including real identity data, authentic tax preparation services, and verified accounts. Fraudsters also adapt quickly by sharing new techniques and bypass methods across online communities.
How do fraud communities support tax refund fraud schemes?
Fraud communities, particularly on platforms like Telegram and dark web forums, enable threat actors to share tutorials, tools, and identity data. These communities accelerate the spread of techniques, allowing fraud schemes to scale and evolve rapidly.
What should security and fraud teams monitor to detect tax fraud activity?
Teams should monitor for:
Unusual access to identity data or tax-related accounts
Indicators of compromised credentials or identity verification systems
Discussions of tax fraud methods, tutorials, or cash-out techniques in illicit communities
Patterns in fraudulent filings or refund activity
Incorporating intelligence from fraud communities can provide early visibility into emerging tactics.
How does Flashpoint help organizations detect and prevent tax refund fraud?
Flashpoint helps organizations detect and respond to tax fraud by providing intelligence on how threat actors source identity data, bypass verification systems, and cash out fraudulent returns.
Through primary source collection across platforms like Telegram and dark web forums, Flashpoint enables teams to monitor fraud communities, identify emerging tactics, and understand how schemes are evolving. This intelligence helps organizations move from reactive detection to more proactive identification of fraud risk.
BTS, a global K-pop phenomenon, has recently made a comeback from an almost four-year hiatus: the members of the group were completing mandatory military service in South Korea. For this reason it comes as no surprise that cybercriminals have taken advantage of the band’s highly anticipated world-tour — ARIRANG — to launch a campaign of fake websites targeting fans eager to buy tickets.
We’ve identified at least 10 fraudulent domains that mimic the official pre‑sale pages for the band’s concerts in Argentina, Brazil, Chile, Colombia, France, Mexico, Peru, Portugal, and Spain — all created in early April. We explain how the scammers operate, and how to avoid buying fake tickets.
How the fake ticket scam works
Due to the high demand for the world-tour tickets, some of the event organizers prepared additional measures to ensure there are no ticket scalpers. In Brazil, the ticketing services adopted a “pre‑booking” format: the user first makes an online reservation, and then pays in person at the box office. Although in essence a good idea, the change has caused confusion among fans and created an opportunity for criminals to commit fraud.
Scammers create pages that are nearly identical to the official ones, replicating the layout, design, and the entire purchasing journey. For ordinary users, the experience seems completely legitimate. The links to these websites are circulating on social media — mainly on Instagram.
In Brazil, victims are prompted to make payments via PIX — an instant payment system operated by the Central Bank of Brazil. In some cases, the sites even simulate a card‑payment option, but claim high demand or system errors to pressure users into choosing PIX. PIX payments are then directed to money mule accounts — making it difficult to recover the funds.
Fake website imitating the Brazilian Ticketmaster. The design is almost indistinguishable from the original
This fake Brazilian website makes it seem as if the user can choose between card payment and instant payment. In reality, choosing the bank card option always results in fake “errors”. In the end, the victim is left with no choice but to pay via the PIX system
This scam page targeted at Mexican fans is selling a fake BTS membership. It’s a fraudulent copy of Weverse — a legitimate website that hosts K-pop communities and sells fan-club memberships
This is the French version of a fake Ticketmaster
The scam is a perfect example of how social engineering works. It exploits a massive and highly engaged fanbase — leading many users to act impulsively. The fake “errors” that the website displays during payment create a sense of urgency and cause panic — the scammers are well aware of how quickly BTS tickets sell out. In addition, doubts about the new purchasing system established by the event organizers help criminals make fake websites even more convincing.
How to protect yourself from ticket scams
If you really want to get tickets to your favorite group’s concert but not fall victim to the scammers, it’s important to keep these basic cybersecurity rules in mind:
Access only official ticketing services, which you can find on the official page dedicated to BTS’s tour. Type the website address directly into your browser, and avoid links received via messages, social media, or email.
Check the domain carefully. Slight changes in the address often indicate fraud. This includes additional dashes, unusual territorial domains, and hardly-noticeable changes like replacing a lowercase “l” (L) with an uppercase “I” (i).
Check the website for Privacy Policy and Terms of Use pages. If they’re missing, you’re definitely visiting a fake website. But remember: their presence doesn’t guarantee that the site is legitimate. With modern AI, generating such pages takes only a few seconds.
Carefully check the sales format for each country. In Brazil, payment should only be made in person, so any request for online payment during the pre‑sale is a strong indication of a scam. Other countries and event organizers may offer online payments.
If you’ve been scammed, immediately contact your bank. If you provided bank card information to the criminals, you should reissue your card to prevent further unauthorized payments.
Enable banking alerts. Real-time notifications allow you to quickly identify suspicious transactions.
Use cybersecurity protection that detects and automatically blocks fraudulent websites. Kaspersky Premium, our robust cybersecurity solution, also shuts down phishing attempts, protects your personal data, and helps safeguard your identity.
Beware of “free” or “discounted” tickets. Ultimately, there’s never such a thing as a free lunch — especially when it comes to world‑famous music groups.