The Internal Revenue Service, the agency that collects more than $3 trillion in revenue for the United States, is under siege by cyber-criminals and fraudsters.
In 2015, a popular scam—where criminals filed fake income-tax reports to collect fraudulent refunds—became even more common. So-called tax-refund fraud accounted for 45 percent of reported identity-theft cases, up from 30 percent in 2013, according to the Consumer Sentinel report published annually by the U.S. Federal Trade Commission.
The crime pays well. The IRS estimated that, by filing tax documents using the identities of real people, fraudsters collected at least $5 billion in 2013 from the agency. More recent numbers are not available.
“From an identity thief’s point of view, [tax-refund fraud] is great,” John Breyault, vice president of public policy for telecommunications and fraud for the National Consumers League, told eWEEK. “They wait with bated breath for the tax-filing season to open and they start filing fake returns and if the IRS does not catch them when they are filed, it won’t be detected until the actual individual files their tax return weeks, if not months, later.”
The blossoming of the tax-refund scam comes from the intersection of three major trends: increasing taxpayer demand to file their returns over the Internet, the widespread leakage of personal information that cannot easily be changed, and the low risk of being prosecuted for the crime. The massive profit that criminals are able to realize, even with moderate success, makes the crime even more alluring.
In addition to personally identifiable information (PII) stolen through breaches, fraudsters are collecting the data needed for the scam by targeting companies with business email compromise—also known as CEO or CFO fraud—where the criminals pose as the CEO or CFO of a company and ask for W-2 information on employees.
Storage firm Seagate Technologies and social media firm Snapchat are among the companies that recently announced employees had inadvertently given fraudsters W-2 information on their workers.
When successful, the cyber-criminals gain essential personal data—such as names, dates of birth, Social Security numbers and income information—data that cannot be changed and is often used for knowledge-based authentication, such as when banks and credit firms ask questions based on a person’s financial information. More than 100 million Social Security numbers have been leaked this year, according to AICPA.
“I don’t know where the limits are … that information cannot easily be changed, and they can use it over and over again,” Michael Bruemmer, vice president of consumer protection at financial-information firm Experian. “The information can be used for many, many years.”
Filing a fraudulent return is not the only way that cybercriminals are cashing in on consumers’ fear of the tax man. The No. 1 scam affecting taxpayers in 2015, for example, consisted of threatening calls from fraudsters demanding the consumer pay purported taxes that they owed.
IRS Tax Refund Fraud Expected to Hit Hard Again in 2016
Yet, tax-refund fraud is, in many ways, the perfect scam. The perpetrator gets paid immediately, the crime is often not detected for weeks or months and the perpetrator is usually never caught, Melanie Lauridsen, senior technical manager for tax policy and advocacy at the American Institute of Certified Public Accountants (AICPAs), said in a press conference on the topic.
“There is no silver bullet for identity theft,” she said. “They are ghost thieves, so it is very hard to catch and punish them.”
While the IRS does not hold the consumer liable for the refund, it takes months to resolve the matter, and all the while, the consumer has to wait for their refund. In a review of 100 random cases between October 2012 and September 2013, the IRS found that the average time it took to resolve the issue was 278 days. In addition, there was a 17 percent error rate.
The IRS has taken a variety of measures to head off tax refund fraud. The agency uses a number of filters that look for, for example, tax returns that claim a dependent from someone else’s return or returns that claim refunds for deceased Americans.
The IRS has steadily added filters. In 2014, for example, the agency used 114 different filter sets, compared to 80 in the year before. In addition, the IRS looks for clusters of returns that attempt to deposit money into a single account, limiting the number of transactions to three in any calendar year.
The measures detected more than $15 billion in refund fraud from more than 2 million fraudulent tax returns filed with the agency in 2014, according to the IRS. In 2013, the agency detected more than $24 billion in fraudulent requests for tax refunds.
“Unfortunately, right now, the IRS is not working with any of the third-party providers such as ourselves to be able to notify individuals that a return was filed in their name,” Experian’s Bruemmer said.
In May 2015, the IRS announced it would consolidate its identity theft activities into a single group, the Identity Theft Victim Assistance (ITVA) directorate.
At present, there is little that a consumer can do to prevent tax-refund fraud. Consumers filed more than 3 million complaints to the FTC in 2015, of which 16 percent were about identity theft and 40 percent consisted of other types of fraud. More than 220,000 of the complaints were related to tax or wage fraud.
“This is a difficult form of identity fraud to guard against,” said NCL’s Breyault.
The best way to foil the fraudsters is for consumers to file their taxes as early as possible, he said. In addition, people should be careful what information they put online. Facebook posts, for example, can easily be mined for information on a person’s name, place of birth and birth date.