In March 2015, KrebsOnSecurity broke the news that identity thieves engaged in filing fraudulent tax refund requests with the Internal Revenue Service (IRS) were using the IRS’s own Web site to pull taxpayer data needed to complete the phony requests. Today, IRS Commissioner John Koskinen acknowledged that crooks used this feature to pull sensitive data on more than 100,000 taxpayers this year.
That March story — Sign Up at IRS.gov Before Crooks Do It For You — tracked the nightmarish story of Michael Kasper, one of millions of Americans victimized by tax refund fraud each year. When Kasper tried to get a transcript of the fraudulent return using the “Get Transcript” function on IRS.gov, he learned that someone had already registered through the IRS’s site using his Social Security number and an unknown email address.
Koskinen was quoted today in an Associated Press story saying the IRS was alerted to the thieves when technicians noticed an increase in the number of taxpayers seeking transcripts. The story noted that the IRS said they targeted the system from February to mid-May, and that the service has been temporarily shut down. Prior to that shutdown, the IRS estimates that thieves used the data to steal up to $50 million in fraudulent refunds.
“In all, about 200,000 attempts were made from questionable email domains, with more than 100,000 of those attempts successfully clearing authentication hurdles,” the AP quotes the IRS as stating. “During this filing season, taxpayers successfully and safely downloaded a total of approximately 23 million transcripts.”
SCOURGE AT THE STATE LEVEL
The Government Accountability Office (GAO) estimates that thieves steal nearly $6 billion a year from state and federal coffers each year via tax refund fraud. This year, fraudsters changed their tactics, leading to a huge spike in attempted fraudulent refund requests — particularly at the state level.
Earlier this week, I had an opportunity to interview John Valentine, chair of the Utah State Tax Commission. Valentine said this year his state saw a tenfold increase in suspicious tax refund filings, and that most of that increase was the result of a type of tax fraud the state had never seen before.
“This was unique, where someone clearly had the information from the prior year’s tax return,” Valentine said. “That different significantly from the way the return comes across if it’s just ID theft. If you have the prior year’s return, you have the names of children, their Social Security numbers and other data you don’t often times get with ID theft.”
These suspicious returns all had the filing status exactly the same [as the year prior], the number of exemptions exactly the same….you even got spelling errors on addresses and names, so that the same errors that occurred in the 2013 return occurred in the fraudulent 2014 return,” Valentine explained. “That’s what told us we were dealing with a different kind of fraud, especially since the extent of the fraud was ten times the amount of fraud we’d seen in the past.”
Valentine said he believes most of that increase was due to lax authentication and security at third-party tax preparation firms (TurboTax, for example). Based on numerous stories about poor authentication and virtually nonexistent “know-your-customer” procedures at TurboTax, I’ve no doubt the nation’s leading tax preparation firm contributed considerably to the spike. But that same data that Valentine references also could be had by pulling taxpayer data from the IRS’s site, which until very recently offered the full previous year’s W2 information on taxpayers.
Stay tuned over the next week for more in-depth stories and interviews about how the states are grappling with tax return fraud, and the changes they are seeking to the status quo.