Tax return ID thieves shift focus to states

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Byron Acohido, ThirdCertainty

Identity thieves have discovered – and begun to harvest – fresh, low-hanging fruit in the tax fraud game: state tax returns.

The filing of faked federal tax returns has been steadily worsening each year since 2011. It’s such a big problem that the U.S. Justice Department refers to it as SIRF: Stolen Identity Refund Fraud.

Criminal rings operating boiler room SIRF operations nicked the IRS for $5.2 billion in faked refunds. This was in 2013, when the government last bothered to tally the damage.

The situation has worsened. Now it appears that SIRF scammers have discovered it makes perfect sense to double up and file a faked state tax return, along with a faked federal return, for each victim.

“For identity thieves, federal tax fraud is lucrative and low risk,” says Victor Searcy, director of fraud operations for IDT911, which sponsors ThirdCertainty. “So if I was an identity thief with your data, why would I stop at just filing a federal return? I can increase my take and maximize my profit for each piece of data by targeting the state tax agencies.”

More: Is filing by paper or online safer?

The bad guys know a good thing when they see it. In recent weeks, a surge of faked state tax returns has sent red flags flying in Minnesota and other states. This development forced Intuit, the company that distributes TurboTax, the no.1 do-it-yourself tax return program, to temporarily suspend e-filing of any state tax returns last week.

Mind you there is nothing intrinsically wrong with TurboTax. This development simply reflects the Internet-centric world we occupy. It’s a world in which bad guys are able to innovate faster and more efficiently than the good guys, using popular consumer tools.

Consumers’ pain

All a SIRF specialist needs is a stolen Social Security number and a faked W-2. He or she can then use TurboTax or any other tax refund software to whip up a faked return good enough to get the IRS to send a check or make a direct deposit into an account the scammer controls.

The pain you will feel should you become a SIRF victim is not inconsequential.

Your legitimate tax return request will be rejected sending you into a lengthy recovery process, festooned with red tape. And with your Social Security number in play in the cyber underground, you may want to freeze your credit and subscribe to identity theft insurance coverage.

In its rush to go paperless, the IRS has been lax about authenticating documents prior to issuing a refund, and quick to send out checks to whatever address or account number the filer submits.

The government has made a few high-profile arrests, but done little else to reverse this trend. Instead of stepping up detection systems and enforcement, the IRS has gone the other way, due to across the board manpower cuts mandated by Congress.

“SIRF is still laughably easy to commit,” says Stephen Cobb, senior security researcher at anti-malware vendor ESET. “However, increased fear of federal prosecution may have led more criminals to go after state tax returns, where fraud controls may be even weaker.”

More on emerging privacy concerns

Faked tax return scams to spike again in 2015
A call for a data breach warning label
Former FTC consumer chief: privacy regs needed
Use of Verizon ‘zombie cookies’ halted