IRS slowing tax refunds to fight fraud as scams surge

Lax security, identity theft allow cyber thieves to file bogus paperwork, collect millions

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The Inter­nal Rev­enue Ser­vice is tak­ing up to 21 days to review tax returns, accord­ing to research from fraud pre­ven­tion ven­dor iova­tion, a clear sign that Uncle Sam has stepped up antifraud measures.

Even so, tax return scams that piv­ot off stolen iden­ti­ty data con­tin­ue to rise for the third con­sec­u­tive tax sea­son. The lat­est twist: Tax scam­mers are increas­ing­ly tar­get­ing vul­ner­a­ble populations—low income, chil­dren, seniors and homeless—as well as pris­on­ers, over­seas mil­i­tary per­son­nel and the deceased, accord­ing to an FBI alert.

Com­pli­men­ta­ry webi­nar: How iden­ti­ty theft pro­tec­tion has become a must-have employ­ee benefit

And crim­i­nals have got­ten very cre­ative about con­duct­ing phish­ing cam­paigns to fool indi­vid­ual consumers—and key employ­ees at tar­get­ed companies—into hand­ing over per­son­al tax-relat­ed infor­ma­tion, use­ful for fil­ing fake returns.

Tax soft­ware vulnerable

The FBI also says crim­i­nals often use online tax soft­ware to com­mit the fraud. That’s par­tic­u­lar­ly trou­bling, con­sid­er­ing what the Online Trust Alliance found in a recent audit of free e-fil­ing ser­vices approved by the IRS. Of the 13 ser­vices audit­ed, about half failed some­what basic secu­ri­ty pro­to­cols, such as email authen­ti­ca­tion and SSL configurations.

Craig Spiezle, Online Trust Alliance executive director
Craig Spie­zle, Online Trust Alliance exec­u­tive director

Craig Spie­zle, exec­u­tive direc­tor of Online Trust Alliance, says some of the vul­ner­a­bil­i­ties, such as unse­cure sites, are obvi­ous to the casu­al per­son, let alone criminals.

These sites are such high tar­gets, you’d expect 100 per­cent of these to be like Fort Knox,” he says. “There’s no per­fect secu­ri­ty, but you would expect not to see (sim­ple) vulnerabilities.”

Some e-fil­ing sites, for exam­ple, had sim­ple serv­er mis­con­fig­u­ra­tions or didn’t have cur­rent secure pro­to­cols; one provider failed to adopt an extend­ed val­i­da­tion (EV) SSL cer­tifi­cate, leav­ing it open to spoofing.

Although not every­one is eli­gi­ble for the free e-fil­ing ser­vices that OTA audit­ed, Spie­zle says many of the paid e-fil­ing ser­vices are run by some of the same par­ent com­pa­nies, and thus use much of the same light­ly pro­tect­ed infra­struc­ture. He says it would be fair to assume that many of the paid e-fil­ing sites would have the same 46 per­cent fail­ure rate as the free e-fil­ing ser­vices audit­ed by OTA.

Per­son­al info trades on black market

Even if cyber crim­i­nals don’t use stolen tax-relat­ed data for fil­ing fraud­u­lent returns, that infor­ma­tion is high­ly valu­able on the black mar­ket. Spie­zle points out it’s the only place where this type of rich information—such as income, employ­er, num­ber of depen­dents, Social Secu­ri­ty num­bers and even bank accounts—is avail­able all in one swoop.

All that data that’s amassed is a trea­sure chest,” he says. “If you want to cre­ate a per­sona of someone’s iden­ti­ty, you have all the data in one place.”

The IRS expects that this year, 80 per­cent of the esti­mat­ed 150 mil­lion indi­vid­ual tax returns will be pre­pared with tax soft­ware and e-filed—and that’s music to fraud­sters’ ears.

One typ­i­cal avenue for cyber thieves is to file returns as ear­ly as pos­si­ble, claim­ing refunds as large as $1,000 to $4,000 on untrace­able pre­paid deb­it cards. They can fly under the radar by fil­ing very gener­ic returns, and those mul­ti­ple refunds turn into a lucra­tive operation.

They have imme­di­ate access to that cash, as opposed to cred­it card fraud where the val­ue is not as high and the deliv­ery is through a retail­er, so they have to fig­ure out what to do with those goods,” says Scott Olson, vice pres­i­dent of prod­uct at iova­tion, a provider of device authen­ti­ca­tion and mobile secu­ri­ty solutions.

Phish­ing, mal­ware skyrocket

Accord­ing to the Gov­ern­ment Account­abil­i­ty Office, the IRS pre­vent­ed $24 bil­lion in fraud­u­lent tax refunds relat­ed to iden­ti­ty theft in 2013, while pay­ing out $5.8 bil­lion in fraud­u­lent refunds that it didn’t dis­cov­er until a year lat­er. And the num­ber of fraud attempts is on the rise: As of March 25, the IRS report­ed a 400 per­cent increase in phish­ing and mal­ware inci­dents relat­ed to the 2016 tax season.

Email phish­ing cam­paigns include links to web pages request­ing per­son­al infor­ma­tion, use­ful for fil­ing fake returns.

These fake pages often imi­tate an offi­cial-look­ing web­site, such as or an e-fil­ing ser­vice, and also may car­ry mal­ware, which can turn over con­trol of the victim’s com­put­er to the attack­er. This Jan­u­ary alone, the IRS count­ed 1,026 email-relat­ed fraud inci­dents, com­pared to 254 a year earlier.

Phish­ing scams also are tar­get­ing employers—because crim­i­nals know that’s where they can find large caches of income-relat­ed infor­ma­tion. One grow­ing trend is the so-called busi­ness email com­pro­mise (also known as “CEO fraud”), a vari­a­tion of spear phish­ing. The phish­er does deep research on a tar­get­ed com­pa­ny, then imper­son­ates a senior exec­u­tive to get a sub­or­di­nate to do something.

Vidur Apparao, Agari chief technology officer
Vidur Appa­rao, Agari chief tech­nol­o­gy officer

Vidur Appa­rao, chief tech­nol­o­gy offi­cer at Agari, which offers an email secu­ri­ty plat­form, says mali­cious attach­ments and URLs com­pro­mised the bulk of spear phish­ing emails in the past. But what his com­pa­ny is see­ing now is phish­ing rus­es aimed at spe­cif­ic employ­ees that lever­age trust to get the recip­i­ent to take a spe­cif­ic action. Such attacks do not car­ry any viral attach­ments or bad URLs that can be detect­ed. Yet they have proven to be very effec­tive dup­ing the recip­i­ent into for­ward­ing files con­tain­ing employ­ees’ W2 forms.

Crim­i­nals are lever­ag­ing the cloud at three sep­a­rate points, in ways they couldn’t before: devel­op­ing social engi­neer­ing con­tent, send­ing out spear phish­ing attacks and get­ting back a response,” he says.

Basic secu­ri­ty helps

Accord­ing to the OTA, 92 per­cent of the pub­licly report­ed breach­es in 2015 could have been pre­vent­ed. Take email authen­ti­ca­tion as an exam­ple. It’s almost a basic secu­ri­ty tool that pre­vents emails from being spoofed. Those OTA-audit­ed e-fil­ing ser­vices that didn’t use it are con­tribut­ing to those trends.

The lack of email authen­ti­ca­tion or the slow adop­tion in some cas­es has led to the preva­lence of this easy type of attack,” Appa­rao says.

Spie­zle says peo­ple need to be aware that emails and oth­er tac­tics are becom­ing more sophis­ti­cat­ed, and pro­tect them­selves accordingly.

The prob­lem is that we are all mov­ing so fast and we have all these devices and desktops—we are mul­ti­task­ing,” he says. “And the crim­i­nals play off that, and they’re get­ting more precise.”

More sto­ries relat­ed to tax fraud:
Beat scam­mers to your IRS refund check
Have you filed? Here’s a tax fraud sur­vival guide
Cloud-based back­ups can leave tax­es, oth­er pri­vate data exposed

Posted in Data Security, Featured Story