News, Info and More…
News, Info and More…
Are fraudulent tax returns the fault of the IRS, or caused by a weakness in the most popular software programs that consumers use to file their taxes? Former employees of Intuit, maker of TurboTax, allege that the company prevented security staff from flagging and shutting down obviously fraudulent accounts. Why? Market share. Fraudsters were ditching TurboTax and using other tax software when the company flagged their returns.
Depending on what state the person lives in, a fraudster must pay TurboTax $25-50 to file a state income tax return. They often use a service that deducts the filing fee from the victim’s refund, so Intuit doesn’t have to deal with the hassles of scammers using stolen credit card numbers to pay, which is often the problem.
It wasn’t difficult for Intuit employees to flag who the fraudsters are. “If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” former XX Robert Lee explained to Krebs on Security.
This wasn’t a case of Intuit being evil for evil’s sake. (Some customers would argue that their reshuffling of desktop software features was.) Lee explained that while Intuit’s security team noticed and reported fraudulent returns, the identity thieves simply turned to one of their competitors. Another former employee has filed a whistleblower complaint with the Securities and Exchange Commission alleging that the company delayed or didn’t send fraud reports over to the IRS so the fraudulent returns would go through.
Tax software publishers are not required to screen for fraud and report it to the Internal Revenue Service. That means there was money out there to be made from fraudulent returns, and someone was going to make it.
An Intuit spokesman countered the whistleblowers’ arguments, pointing out that it’s the IRS that ultimately decides which tax returns are fraudulent, and if a return is officially flagged and not processed, there’s no refund from which Intuit could collect its fee. “When it comes to market share, it doesn’t count toward our market share unless it’s a successful return,” the chief communications officer explained to Krebs. Neither the IRS nor Intuit wants to hold up legitimate tax returns and refund checks in bureaucratic hell when that return is flagged for possible fraud.
In recent months, we’ve seen a scam aiming to social engineer payroll information out of employees hit well-known companies like Snapchat and Seagate. The fraudsters’ goal is to get employees’ personal information and salary data, and file tax returns to collect refunds under their names. Now the tax scammers have found the ultimate source of payroll data: they’re able to access some companies’ accounts with payroll processing company ADP.
You may not recognize the name ADP, but most adults have probably held at least one job where the company printed their paychecks. Around the world, the company has 610,000 clients. That’s companies, not individuals.
For example, they handle payroll for U.S. Bancorp, and Krebs on Security shared a letter that a reader received when they were the victim of one of these breaches. Employees received a notice that fraudsters had established fake accounts under real employees’ names, harvesting their payroll information. Presumably, this data would later be used for tax refund scamming.
Bancorp has around 64,000 employees, and not all of them were victims of this scam. To establish a fake account on the ADP portal, the scammers needed to know that the person works for U.S. Bancorp, and pieces of personal data that are common targets for identity thieves, like the person’s name, date of birth, and Social Security number. Victims needed to already be victims of identity theft.
Another key part of the breach is that the employer needed to make the company-specific URL and a company code public. Simply having employee handbooks or information on how to find one’s W-2 available on a public Internet page instead of a building-exclusive intranet would be enough to put the not-so-secret URL and code in the fraudsters’ hands.
U.S. Bancorp became aware of the breach on April 19, after the tax deadline, but tax returns for 2015 may have already been filed for employees.
Things are difficult for the IRS right now. For the last few years, people contacting the IRS have encountered lengthy phone hold times, and identity theft and refund fraud drain billions of dollars’ worth of tax refunds into the pockets of international criminals. The Government Accountability Office has the job of overseeing government agencies, including the IRS, and it released a new report today about its issues and possible ways to fix them.
The 23-page report is actually quite readable, and worth looking at if you’ve been a victim of identity theft or refund fraud, you’re a tax preparer, or you’re interested in the future of how Americans file our taxes.
1.The IRS paid out $3.1 billion in refunds to scammers last year. We’ve discussed in the past how this scam works: someone with basic information about a U.S. taxpayer files a return with fake information, depositing their refund in the scammer’s own account. It’s a sophisticated operation and very lucrative.
While the IRS was able to stop most fraudsters in tax year 2014, they’re already figuring out how to hack and social engineer their way into more refunds next year. People whose W-2 information was taken in a variation of the Boss Scam this year should be especially vigilant, locking down their IRS e-filing information and filing their real returns as soon as possible.
2. The IRS doesn’t actually have your W-2 information before they issue your refund. Your employer had to send it to them, yes, and you used those numbers to file your taxes, but a previous GAO reprot on the IRS pointed out that the agency doesn’t actually match up the numbers that you put down on your return with the numbers that your employer provided until July.
This means that if you delay in filing, someone can file a fake return on your behalf and scoop up a fake refund based on whatever information they make up. If you put false information in your tax return, later in the year, the IRS will catch up with you. Scammers who live thousands of miles away don’t care.
3. The IRS could prevent fraud by checking taxpayers’ pay information against what their employers submitted before issuing refunds. This would be theoretically possible if they received W-2s electronically, but anyone with fewer than 250 employees can submit them on paper.
The GAO suggests that the IRS consider making all employers but the smallest businesses (with 5 to 10 employees) submit their W-2s electronically, and change their workflow to verify returns before cutting metaphorical and literal refund checks.
4. The IRS began an agency-wide information security program to lock things down But failed to implement all parts of it across the entire massive agency, leaving weak spots. An example: auditing who had access to which systems, and making sure that people only had enough access to do their own jobs.
5. The IRS did better dealing with taxpayers contacting them by phone this year, but took the average wait time down to an estimated 25.8 minutes, compared to 30.5 minutes last year.
6.The most important part of information security at the IRS is users getting access to e-file their returns: methods need to be secure enough that someone who has stolen a taxpayer’s identity can’t easily access their tax history and filing PIN, but easy enough to use that we don’t all forget our passwords from year to year.