IRS Tax Refund Fraud Expected to Hit Hard Again in 2016

After a surge in tax-refund fraud complaints in 2015, security experts warn that more needs to be done to augment the Internal Revenue Service's detection and prevention methods.  

Tax Return Fraud

The Internal Revenue Service, the agency that collects more than $3 trillion in revenue for the United States, is under siege by cyber-criminals and fraudsters.

In 2015, a popular scam—where criminals filed fake income-tax reports to collect fraudulent refunds—became even more common. So-called tax-refund fraud accounted for 45 percent of reported identity-theft cases, up from 30 percent in 2013, according to the Consumer Sentinel report published annually by the U.S. Federal Trade Commission.

The crime pays well. The IRS estimated that, by filing tax documents using the identities of real people, fraudsters collected at least $5 billion in 2013 from the agency. More recent numbers are not available.

"From an identity thief's point of view, [tax-refund fraud] is great," John Breyault, vice president of public policy for telecommunications and fraud for the National Consumers League, told eWEEK. "They wait with bated breath for the tax-filing season to open and they start filing fake returns and if the IRS does not catch them when they are filed, it won't be detected until the actual individual files their tax return weeks, if not months, later."

The blossoming of the tax-refund scam comes from the intersection of three major trends: increasing taxpayer demand to file their returns over the Internet, the widespread leakage of personal information that cannot easily be changed, and the low risk of being prosecuted for the crime. The massive profit that criminals are able to realize, even with moderate success, makes the crime even more alluring.

In addition to personally identifiable information (PII) stolen through breaches, fraudsters are collecting the data needed for the scam by targeting companies with business email compromise—also known as CEO or CFO fraud—where the criminals pose as the CEO or CFO of a company and ask for W-2 information on employees.

Storage firm Seagate Technologies and social media firm Snapchat are among the companies that recently announced employees had inadvertently given fraudsters W-2 information on their workers.

When successful, the cyber-criminals gain essential personal data—such as names, dates of birth, Social Security numbers and income information—data that cannot be changed and is often used for knowledge-based authentication, such as when banks and credit firms ask questions based on a person's financial information. More than 100 million Social Security numbers have been leaked this year, according to AICPA.

"I don't know where the limits are … that information cannot easily be changed, and they can use it over and over again," Michael Bruemmer, vice president of consumer protection at financial-information firm Experian. "The information can be used for many, many years."

Filing a fraudulent return is not the only way that cybercriminals are cashing in on consumers' fear of the tax man. The No. 1 scam affecting taxpayers in 2015, for example, consisted of threatening calls from fraudsters demanding the consumer pay purported taxes that they owed.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...