Cybersecurity

Data breaches fuel new era of tax fraud

The rash of massive data breaches across the United States is driving a new era of electronic tax fraud that has caught Congress’s attention and left consumers wondering if their tax information is safe.

“You’re seeing the dawn of this new era,” said Jim Penrose, a former head of the National Security Agency’s Operational Discovery Center and now an executive vice president at cybersecurity firm DarkTrace. “A concerted effort on the part of cyber criminals to gather the personally identifiable information [PII] of taxpayers.”

E-tax fraud is “growing exponentially,” said Adam Levin, chairman of identity security firm IDT911, “because the theft of this PII is growing exponentially.”

The sudden surge can be seen around the country.

Nineteen states have recently noticed spikes in electronic filing fraud and Minnesota even stopped accepting some electronic returns.

Intuit, maker of the popular tax filing software TurboTax, briefly suspended services after noticing a dramatic rise in stolen personal information being used to claim tax refunds. The firm has since been fighting allegations that it turned a blind eye to massive cyber fraud.

Thousands of Americans have filed their “paperwork” online this year only to find someone else already filed for them. Resolving the issue can take up to 10 months, Levin said.

Capitol Hill has taken notice, launching investigations on both the Senate and House side as lawmakers prepare for hearings in March.

“We are assiduously working on it,” Senate Finance Committee Chairman Orrin Hatch (R-Utah) told The Hill. “We’re always naturally concerned about people who defraud the government and there’s too much of that going on.”

But it’s a problem with no easy solution, experts say.

Electronic filing is becoming ubiquitous — 86 percent of taxpayers filed online last year. It’s created a quick and simple way to file fake tax returns, churning out huge revenues with little danger or risk of imprisonment, experts say.

“They’re not going to stop,” said Verenda Smith, deputy director of the Federation of Tax Administrators (FTA). “They don’t ever get caught. They’re not going to jail. All they’re doing is making money.”

Street gang violence is even down in cities like Tampa, Florida, as criminals shift to digital tax fraud, said Steven Weisman, a professor at Bentley University, lawyer and author of several books on identity theft.

Corey Williams, one former member of a cyber crime ring that racked up millions in e-tax fraud, recently explained how simple the process was to CBS’ “60 Minutes.”

“Anybody who knew about it, you’d be a fool to not try to get involved with making some money,” said Williams, now one of the few tax fraudsters serving time in prison. “I could wake up in the comfort of my own home, and just get on a laptop, do about 15 returns a day. Fifteen times $3,000 a return, that’s $45,000 a day.”

And the personal information exposed when major companies are hacked has only made the process easier, security experts explain. In the past year, hundreds of millions of Americans’ sensitive data have been compromised through hacks at retailers like Home Depot, banks like JPMorgan Chase and federal agencies like the U.S. Postal Service.

The recent data breach at health insurer Anthem, which exposed nearly 80 millions consumers’ information, is “case in point,” Levin said. The cache of PII that hit the black market after the hack was a goldmine for tax fraudsters.

“It’s everything — name, phone number, medical ID, Social Security number, email address,” he said. “You name it, they got it.”

Armed with all that, “success is pretty much almost guaranteed,” Levin said.

The Internal Revenue Service (IRS), which oversees federal tax filings, got relatively high marks from experts for being attuned to the threat of e-fraud.

Although the agency reported it paid $5.2 billion in fraudulent tax refunds during last year’s filing season, it also said it thwarted another $24.2 billion in attempted fraud, a noted improvement from previous years.

The agency has more than doubled the number of employees working on identity theft since 2011 and also said it bolstered security measures this year to better suss out fraudulent electronic filings.

DarkTrace’s Penrose called the steps “pretty substantial.”

“We closely monitor incoming tax returns, watching for fraud indicators and adjusting our systems as necessary,” the IRS said in a recent statement.

But lawmakers believe the agency might be able to do better.

Hatch pointed to the recent HealthCare.gov glitch that caused roughly 800,000 taxpayers to receive incorrect tax forms for their government health insurance subsidy. Fifty thousand people filed returns based on the inaccurate data before the problem was caught.

“Now that’s minuscule compared to the total number of taxpayers, but it’s still, it indicates that they may not be on top of things like they should be,” Hatch told The Hill.

“I’ve been chatting with the IRS head on a regular basis to see what we can do to solve problems like that,” he added. “We’re working behind the scenes on everything involving taxes and we’re going to continue to do so.”

Hatch’s committee is investigating e-tax fraud more generally and plans to hold hearings soon on the issue, but the chairman did not give a specific timeline.

Several tax experts agreed the department is trying to curb fraud “with one hand tied behind their back,” as the FTA’s Smith put it.

From general budget constraints to the amazing ease of committing e-tax fraud, “they’re fighting a difficult battle,” Weisman said.

Regardless of the steps the IRS takes, many believe e-tax fraud will continue unabated until the private sector ups its cyber defenses and slows the growth of mega breaches.

Congress is considering several bills that industry groups argue would help the private sector better thwart cyberattacks. The measures would increase the data flow between the public and private sectors to give companies a better picture of their cyber threats.

But lawmakers have struggled to come to consensus on the details of such a bill and many wonder how effective it would actually be.

It all adds up to more years of growing e-tax fraud, experts agreed.

In the meantime, Weisman recommended two steps for consumers to help lower their risk of tax fraud. One, be judicious in giving out your Social Security number. Two, file your taxes early to reduce the chances a fraudster beats you to it.  

Weisman acknowledged the protections are minimal.

“I do think it will get worse before it gets better,” he said.