Tax return ID thieves shift focus to states

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Byron Aco­hi­do, Third­Cer­tain­ty

Iden­ti­ty thieves have dis­cov­ered – and begun to har­vest – fresh, low-hang­ing fruit in the tax fraud game: state tax returns.

The fil­ing of faked fed­er­al tax returns has been steadi­ly wors­en­ing each year since 2011. It’s such a big prob­lem that the U.S. Jus­tice Depart­ment refers to it as SIRF: Stolen Iden­ti­ty Refund Fraud.

Crim­i­nal rings oper­at­ing boil­er room SIRF oper­a­tions nicked the IRS for $5.2 bil­lion in faked refunds. This was in 2013, when the gov­ern­ment last both­ered to tal­ly the dam­age.

The sit­u­a­tion has wors­ened. Now it appears that SIRF scam­mers have dis­cov­ered it makes per­fect sense to dou­ble up and file a faked state tax return, along with a faked fed­er­al return, for each vic­tim.

For iden­ti­ty thieves, fed­er­al tax fraud is lucra­tive and low risk,” says Vic­tor Searcy, direc­tor of fraud oper­a­tions for IDT911, which spon­sors Third­Cer­tain­ty. “So if I was an iden­ti­ty thief with your data, why would I stop at just fil­ing a fed­er­al return? I can increase my take and max­i­mize my prof­it for each piece of data by tar­get­ing the state tax agen­cies.”

More: Is fil­ing by paper or online safer?

The bad guys know a good thing when they see it. In recent weeks, a surge of faked state tax returns has sent red flags fly­ing in Min­neso­ta and oth­er states. This devel­op­ment forced Intu­it, the com­pa­ny that dis­trib­utes Tur­b­o­Tax, the no.1 do-it-your­self tax return pro­gram, to tem­porar­i­ly sus­pend e-fil­ing of any state tax returns last week.

Mind you there is noth­ing intrin­si­cal­ly wrong with Tur­b­o­Tax. This devel­op­ment sim­ply reflects the Inter­net-cen­tric world we occu­py. It’s a world in which bad guys are able to inno­vate faster and more effi­cient­ly than the good guys, using pop­u­lar con­sumer tools.

Con­sumers’ pain

All a SIRF spe­cial­ist needs is a stolen Social Secu­ri­ty num­ber and a faked W-2. He or she can then use Tur­b­o­Tax or any oth­er tax refund soft­ware to whip up a faked return good enough to get the IRS to send a check or make a direct deposit into an account the scam­mer con­trols.

The pain you will feel should you become a SIRF vic­tim is not incon­se­quen­tial.

Your legit­i­mate tax return request will be reject­ed send­ing you into a lengthy recov­ery process, fes­tooned with red tape. And with your Social Secu­ri­ty num­ber in play in the cyber under­ground, you may want to freeze your cred­it and sub­scribe to iden­ti­ty theft insur­ance cov­er­age.

In its rush to go paper­less, the IRS has been lax about authen­ti­cat­ing doc­u­ments pri­or to issu­ing a refund, and quick to send out checks to what­ev­er address or account num­ber the fil­er sub­mits.

The gov­ern­ment has made a few high-pro­file arrests, but done lit­tle else to reverse this trend. Instead of step­ping up detec­tion sys­tems and enforce­ment, the IRS has gone the oth­er way, due to across the board man­pow­er cuts man­dat­ed by Con­gress.

SIRF is still laugh­ably easy to com­mit,” says Stephen Cobb, senior secu­ri­ty researcher at anti-mal­ware ven­dor ESET. “How­ev­er, increased fear of fed­er­al pros­e­cu­tion may have led more crim­i­nals to go after state tax returns, where fraud con­trols may be even weak­er.”

More on emerg­ing pri­va­cy con­cerns

Faked tax return scams to spike again in 2015
A call for a data breach warn­ing label
For­mer FTC con­sumer chief: pri­va­cy regs need­ed
Use of Ver­i­zon ‘zom­bie cook­ies’ halt­ed

 

 


Posted in Data Breach, Data Security, News & Analysis