FATCA related E-mail phishing

FATCA certification used for E-mail scam


Considering the information required for certifying and classifying individuals and entities for FATCA, it was probably inevitable that criminals would start using FATCA certification as part of a Phishing or Identity Theft attack, and today one of our clients highlighted such an attempt against them. Phishing is the attempt to acquire sensitive information by masquerading as a trustworthy entity in an electronic communication. In this case the scammer asked for information in an email made to look like it was from the IRS.

The information used when providing information to the tax office is the same information that scammers often use for Corporate Identity Theft, it contains not only name, address, contact details but also tax identification numbers, and for US individuals, the tax identification is your Social Security Number. This is not just a concern for US entities, I know of at least three other countries where your main ID number is used as tax identification.

The timing is rather interesting as well, the first reporting deadlines for FATCA is coming up and a lot of organisations will be under pressure to get their onboarding, backboarding and certification documentation up to date. It is likely that in many organisations the teams that would handle these requests are already under pressure to complete this work to a tight deadline, further compiled by the fact that FATCA allows for tailored forms, and indeed many Financial Institutions have opted for a tailored certification form which better suit their requirements rather than using the IRS W-8 series form, so there is not a single easily recognisable form which to expect.

Why do criminals want this information?

At first it does not sound like the name, registered address and Tax identification number of a corporation would be that useful to a potential criminal. However, this is the very information the corporation uses for communication with the tax office, applying for loans, credit cards and bank accounts as well as many other business transactions.

A common tactic is tax refund fraud where the perpetrator submits a false tax return in your companies name then claims the tax refund. The IRS National Taxpayer Advocate reports that tax-related identity theft has increased 650% since 2008, so these type of scams are becoming more and more common.

It is also important to recognise that in many cases, corporations only need name, address and Tax Identification number to open bank accounts, apply for credits or enter into deals, and the due diligence processes used by companies for these services are not always as stringent as those used when providing the same services to individuals.

Is your team trained to recognise e-mail fraud, and do they know what the procedures is to manage and report potential fraud?

DBFS have compiled a short guide with four indicators to recognise a compliance related phishing attacks.

Additional information on FATCA, OECD CRS, ITC2014, can be found on our webpage under Tax Treaties

« back to all white papers