Extorted by Ransomware Gangs? The Payments May Be Tax-Deductible (cbsnews.com) 64
As ransomware attacks surge, the FBI is doubling down on its guidance to affected businesses: Don't pay the cybercriminals. But the U.S. government also offers a little-noticed incentive for those who do pay: If you pay a ransom, it may be tax deductible. From a report, shared by a Slashdot reader: The Internal Revenue Service offers no formal guidance on ransomware payments, but multiple tax experts interviewed by the Associated Press said deductions of ransomeware payments as a cost of doing business are usually allowed under law and established guidance. Some called it a 'silver lining' for ransomware victims. Those looking to discourage payments are less sanguine. They fear the IRS deduction is a potentially problematic incentive that could entice businesses to pay ransoms against the advice of law enforcement. At a minimum, they say, the deductibility sends a discordant message to businesses under duress.
Should only be tax-deductible (Score:4, Interesting)
If you get a proper receipt, and the payee is a registered business along with a sale tax ID.
Re: (Score:2)
Definitely, though even then it's going to become the new Double Russian with a Ukrainian sandwich.
Re: (Score:2)
In most jurisdictions you do not need a tax ID or a receipt, and most certainly the receiver of the money does not need to be a registered business, to make any payment a business expense.
I'm not a registered business. I write about one bill per month. My bill needs a tax ID - to be a valid bill. but my customer could pay me in cash - without a bill, and write in his tax report: he paid Angelo - that is me. That even works for payments that include VAT, unless they exceed a certain amount.
In Thailand it is
So, here's a scam plan (Score:1)
But the nefarious ransomware company is in cahoots with parent company and gives it substantial kickbacks . . . or is operated by the parent company's CxO families on the side . . .
Re: (Score:2)
I think this would be fine as long as the company had to publicly admit how much money the gave to the ransomware hackers. That way companies would be unlikely to lie about how much they lost. People wouldn't really trust to do business with a company if they said they were losing millions to ransomware.
Profit (Score:1)
1) Hire someone to hack your company... could even make it easy for them by providing the user name and password of a former employee's account [slashdot.org]
2) Hired hacker demands ransomware payment
3) Pay ransomware
4) Take tax deduction
5)
6) Profit
Re:Profit (Score:5, Informative)
You do realize that paying the ransom is necessarily much larger than the tax deduction, right?
There's never any "profit" in a tax deduction. It's a "tax" deduction. Not an "expense" deduction. The government doesn't give you anything (that would be a tax "credit", and even that is almost certain to not net you any profit.) The government simply isn't taking more from you.
Re: (Score:3)
It bugs me how often people get this wrong, as well as how income brackets work.
A tax deduction is a mitigation, sucks that you spent the money, but hey, at least you don't also have to pay taxes on that amount on top of having spent the amount. It's not a 'silver lining' so much as it is a mitigation.
However, if you arrange things so that you pay *yourself* the ransom, then you are getting somewhere. Which is why this probably shouldn't be deductible, since you can't audit the other end of the transaction
Re: (Score:2)
If you paid "yourself", which wasn't part of the previous post, then you still aren't getting anywhere. That "self" gets to pay income tax on that payment.
Simply put, if I pay me, and it's not an expense, I pay taxes on it three times between my left pocket and my right pocket.
Re: (Score:2)
If you pay yourself in a manner that obscures the recipient of the money, then you wouldn't pay tax on that 'income', because you are using it as a vehicle to commit tax fraud. That's my point, if the other end of a transaction is anonymous, then it's feasible to take advantage of that to reduce apparent income by appearing to incur an expense, that was really shuffling your money into some secret interest controlled by you, but not readily auditable.
I know I can count a small amount of money as qualifying
Re: (Score:2)
Correct; if the other end of a transaction is anonymous, then you aren't going to be able to call it an expense at all.
You can always lie. You can try to beat the enforcement department. It has a name that I dare not speak.
So I no longer have any idea what your point is/was. Simply hiding in a box and not paying your taxes isn't a witty solution.
Re: (Score:2)
Your concept of mitigation is fun, but it's inside out. Tax "deductions" don't exist. Those expenses are simply not taxed. The "deduction" is in the calculation on the income form to determine your income. You then, simply aren't taxed on those expenses -- your government doesn't collect money on it.
There are loads of things that aren't taxed. Most people haven't the foggiest notion of just how many. Because it's backwards. You were never expected to pay tax on those things. When you do, because you
Re: (Score:2)
I was agreeing with you, for reference.
People mistake 'deductions' for 'credits' when talking about this sort of thing, they think a deduction means free money from taxing, rather than just an acknowledgement that you incurred qualifying expenses allowing you to declare that the income shouldn't count because you no longer have it and it went toward an end explicitly acknowledged as exempt by the tax code.
'deduction' is the word for qualifying expenses that mean your income doesn't count. I'm not sure exact
Re: (Score:2)
It would seam that we are both confused because we agree far too much.
Happy team-work!
Re: (Score:2)
You do realize that paying the ransom is necessarily much larger than the tax deduction, right?
Article states companies may deduct the ransomware payment as a business expense. That means the entire ransomware payment can be written off.
Re: (Score:2)
If you have a tax deduction of $10,000, then it only means you owe maybe $2,000 less. A tax deduction does not save you the amount you deduct, only the otherwise taxable portion thereof
Now if the full amount counted as a tax *credit*, well then that would apply.
Re: (Score:2)
You don't know what "written off" means.
It means that amount isn't considered part of your income -- because you took that income and spent it on the ransom. Thus, you won't pay tax on it. You don't get it back.
Is this an episode of Seinfeld?
Re: (Score:1)
> You do realize that paying the ransom is necessarily much larger than the tax deduction, right?
Ransom = R
Tax Deduction from Ransom = T
Original company = +T-R
Hackers = +R
If the original company and the hackers are the same people; then combined they get +T-R+R=T.
Now if instead of being the entire company in cahoots, it's just a couple of insiders, then it becomes:
Original company = +T-R
Hackers/Insiders = +R/(size of group)
This is no different than people questioning Dick Cheney.... b-b-b-b-but why would
Re: (Score:2)
You missed a vital element -- T is a ratio of R.
Ransom = R
Tax on random is T%
Original company = -R - RxT
Hackers = +R
If they are the same people they get +R - R - RxT = -RxT -- which is the taxed amount.
And then, the hackers who received the +R get to pay income tax on their mysterious earnings. Another -RxT (different T of course). But we can assume, for now, that they can't be found.
Seriously, if a business takes money out of their left pocket, and puts it into their right pocket, they pay three different
Re: (Score:2)
If you're paying the ransom to a contractor who will return it under the table (minus a small fee), then their fee just needs to be less than the tax. And if you're DIYing this, you can charge yourself 0.
Bitcoin kind of sucks for this, though. (Stupid ledger!) We need an untraceable currency in order to maximize ransom tax fraud. I propose a new system I've been working on. The idea is that you have these bearer tokens that people physically authenticate on the spot, so that they don't have to check with th
Re: (Score:2)
...and the contractor needs to hide the revenue -- or they'll pay the tax.
Welcome to tax fraud. But there's a much much much easier way. Just don't pay your contractors, let them work for free, and then you can make it up to them with free work in return. There are only a small handful of barters that are taxed. If you have trust within your service-for-service relationship, then you don't need money. And you won't get a courtroom to cover you either.
Re: (Score:2)
Hot tip (Score:2)
Set up backups today! It's cheaper than extortion payments.
Re: (Score:2)
Unfortunately even so called "experts" don't know how to do proper backups.
Can you restore from them? Can you compare them?
Chances are a file is changed, you back it up, 3 month later you "delete one tape and reuse it". That was the tape which hold the unencrypted original version of the file.
With all this strange attack vectors we have in our times, it is pretty difficult to have a solid back up strategy. You basically have to restore every backup on a fresh computer and need some mechanism to figure out i
Re: (Score:2)
You do have a point, and that might have been a serious issue in the 90s, but now there are so many solutions for backups that there's really no excuse. Do a search for "cloud backup service" and you get a ton.
Although basically anyone I know who used a tape backup system ended up getting burned by it.
Re: (Score:2)
Of course it's deductible, who's the scammer? (Score:2)
The entire concept of taxation is to give money to the community (big or small) in order to support the society as a whole.
For example, you bought a book, but didn't pay for the roads that shipped it (to the store or to your door). Obviously the book-seller isn't collecting and submitting road taxes. Except that they are, that's their income tax on the money that you paid to them.
Paying a ransom isn't something that relies on public infrastructure. What's the example? You got extorted but you didn't pay
Re: (Score:3)
You don't understand what tax-deductible means. It's not the same as tax-free, and has nothing to do with sale tax.
Basically, it means if my corporation makes a revenue of $1000 this year, has $500 of regular expenses and paid $200 in ransom, then it only has to pay taxes on $300 (the profit). The ransom becomes an expense, just like employees, furnitures, etc.
Re: (Score:2)
Dude, I've run a business for 25 years. That's what I said. No idea where you saw anything related to sales tax.
Re: (Score:2)
Well you do not seem to understand what taxes are for. It's not related to public infrastructure, in the sense that even if I earn $1million/year I'll pay more income tax than those earning only $10k. No matter if they use roads, schools, and hospitals more than I do. Taxes are based on how much you earn/spend/have. Not how much you use infrastructures.
Corporations pay taxes on their profit, not their income. But they can't usually write off illegal expenses such as bribes, prostitutes and drugs towards the
Re: (Score:2)
a) taxes are for infrastructure; absolutely.
b) they aren't based on YOUR usage of the infrastructure; they are based on OUR usage of the infrastructure. You hire employees. They use public transit. Therefore, your income taxes fund public transit. You hire a gardener, that gardener has children who go to school. Therefore your taxes fund schools.
c) taxes are CALCULATED based on how much you earn/spend/have. They are BASED on how much WE use infrastructures.
d) corporations pay taxes on way more than ju
Re: (Score:2)
And, of course, many things that we all agree are expenses, are deductible not at 100% -- catering client meetings is 50% deductible, just because.
Because otherwise it would be an incentive to dodge income taxes, by providing food to everyone instead of salary (money).
And also because, well, everybody knows your clients could eat peanut butter sandwiches that they make themselves instead, which would be far less costly, but you still choose to go the expensive way of ordering from the restaurant.
taxes are for infrastructure; absolutely.
Taxes are for the government to get money. So that they can finance government spending, such as public goods and services, which do not only include public i
Re: (Score:2)
You'll need to decide if you are talking about giant corporations, or small businesses, or public companies. You're choosing to pick-out oddities that are only oddities because you've crossed corporation sizes.
There are no offshore tax havens for small businesses.
Providing food instead of salaries isn't something that small businesses could do.
Deciding how expensive lunch should be isn't something that matters when it comes to private businesses -- the tax calculation for the government is the same, they'l
Re: (Score:2)
I would agree ransomware payments should be deductible. One of those infrastructure things society is supposed to afford you is effective law enforcement and protection from foreign attackers.
Clearly the fact that rasomware gangs exist and could reach you in the first place means society fell down, let you down - why shouldn't you get a discount on your obligation to it!
As to the incentive - its not an incentive. Deductions are not the same as Credits! Its not going to save you more in taxes than it costs
Not sure why this is news (Score:2)
Re: (Score:2)
Generally speaking, it only makes sense to be deductible if it is a fully legal transaction, where both parties of the transaction are tracked.
Here the money disappears into an illicit organization. Even if you are sympathetic to this specific scenario, one could also imagine a company going all in on a money laundering scheme and receiving a tax benefit for doing so.
The point of deducting an expense is that you are merely moving that money from one legally recognized entity to another and the tax burden ca
Re: (Score:2)
Even if you are sympathetic to this specific scenario, one could also imagine a company going all in on a money laundering scheme and receiving a tax benefit for doing so.
Can you elaborate how is it money laundering? By paying a ransom, you move legal and clean money from a legal business to illegal money of an illegal business. It looks like an opposite of money laundering.
Re: (Score:2)
I'm saying that if tax deductions are possible where only one participant in the transaction is legal and known, then that would be ripe territory for money laundering as well.
To be nefarious in the context of paying a ransom to an anonymous peer, then one could imagine that it could be possible to pay *yourself* the ransom, and it may be difficult for anyone to know that while you claimed to have incurred the expense, you ultimately just paid yourself out of view of auditing. Or to pay for illicit services
Re: (Score:2)
then that would be ripe territory for money laundering as well.
Just nitpicking:
Money you legally earned, and just transfer with an excuse to some other account you have access to: that is not called money laundering. It is tax fraud.
Money laundering is the exact opposite. You have money from an illegal source, incorporate it into your company's bank account and tax it and claim it came from a legal source.
Re: (Score:2)
Re: (Score:2)
You can pay to a random bitcoin address and claim it was a ransom, while in fact it is your own bitcoin address or your wive's or your chield's or best friend.
That is not really "money laundering" but is what your parent meant.
Re: (Score:2)
The point of deducting an expense is that you are merely moving that money from one legally recognized entity to another and the tax burden can be followed to the first non-qualifying transaction or the end of the line.
In principle.
In praxis no.
If I live in town A and have to travel to town B to do a job. And travel back and write a bill, then the bill is my income.
If I have to stay there for two days, and the bill makes that clear as in 21th of June, 8h billed, 22nd of June, 10h billed, then I obviously m
Re: (Score:2)
Well yes there is a threshold at which you can deduct things without documentation. However a $5 million dollar ransom payment should require something.
Generally speaking, if you have hundreds of dollars to deduct, no one is going to bat an eye or demand thorough documentation. When in aggregate you are deducting over $10,000, well you need to show where that went and prove it went somewhere.
Re: (Score:1)
But not for Traffic Tickets. (Score:3)
Back in the old day when I use to be a Consultant, my Boss asked me to hurry to get to the Customer fast. However not to get a traffic ticket, because it wasn't tax deductible for the business, and I wouldn't be compensated for any traffic ticket occurred.
This rule made a lot of sense, because you don't want a company pressuring its employees to drive unsafe, because of strictly a a profit motive.
This doesn't make sense. Tax Deductions are primary a tool to guide people and businesses to be doing the right thing, and rewarding them doing the right thing, even if it may cost them some extra money initially.
But the company failed to operate a proper IT Security policy for its organization, the company is now paying criminals money which could be put to who knows what. As well the criminals are now more embolden to do it again because they made money from it.
I think if a company is to take Tax Credit, they really should be some strings attached. Such as working with the FBI to track the Criminals Down, possibly making sure they payments are traceable. As well they will need to offer and show improvements in their IT Security for the future.
Re: (Score:2)
No deductions are not there to press people to do the right thing. Deductions are to make the tax code more fair. CREDITS are there to encourage behaviors.
You get to deduct state and local taxes not because the federal government things you should not try to evade local taxes, its to not double tax you. You get a efficent home credit because we want you to install solar powered lighting! Then there are refundable tax credits, and non-refundable tax credits. Refundable ones like the EIT mean you can actuall
Re: (Score:3)
Businesses are more sensitive towards deductions, while individuals are more sensitive towards credits.
If you want businesses to act in a particular way, you are going to give deductions for them doing what you want them to do, and be clear they cannot get deductions for the things you don't want them to do. This is important to them, because the business handles a lot of money, so deductions can cut their tax brackets down by a lot. While credits, make businesses a little more difficult, because it is mon
Re: (Score:2)
Just FYI, you're confused about what tax credits and deductions are.
Neither are "is money that comes in without it being properly tied to an action, so it needs to be accounted for and dealt with as income". It's just paying less tax than you would without the credit. That simple.
Tax credit:
Suppose you made $100K, so you owe $28K in tax.
But you bought a solar-powered car and therefore quality for a $1,000 tax credit. You pay $27,000 in tax.
Tax deduction:
Suppose you billed the customer $100K
You spent $50K
Way to incentivize hacks (Score:2)
Cyber security is already tax deductible. No need to foot the bill for incompetent data managers.
How convenient (Score:1)
It's an expense/loss but how do you prove it? (Score:2)
How can the company prove that the bitcoin actually went to a legitimate ransomware and not just to their own personal wallet?
Also, aren't there already laws against laundering and giving money to terrorists? How is paying a ransom any different than giving
money to any other terrorist group? It seems like a cut and dry case of knowingly funding a terrorist organization.
You can't make something illegal and tax it... (Score:2)
Re: (Score:3)
Profits from the sale of illicit drugs are taxable.
Change the law. (Score:2)
I don't care if it's currently tax deductible, it's a drain on society if you pay it. Change the law, do not allow these to be tax deductible.
I'm going to get hacked (Score:2)
by myself, and then write off the expenses.
Hol up.. (Score:3)
Some of these ransomware entities are considered terrorists. At the very least they're criminals.
Giving terrorists or criminals money is kind of a crime, isn't it?
So not only are they potentially committing a crime themselves, but they're getting a tax deduction for it?
That seems really messed up.
Re: (Score:2)
Shouldn't they be prosecuted for funding the terrorists in that case?
Re: (Score:2)
That's my thinking.
Best tax loop hole ever (Score:2)
Ransom payments are tax deductible? (Score:2)
Does anyone ELSE smell a huge business opportunity to skim some bucks off those 1%ers?
It's not a silver lining (Score:2)
The difference matters because these companies still would've been better off if they hadn't been hit by ransomware. If they'd instead spent that money on new compu