March 25, 2015

Some of the most frank and useful information about how to fight fraud comes directly from the mouths of the crooks themselves. Online cybercrime forums play a critical role here, allowing thieves to compare notes about how to evade new security roadblocks and steer clear of fraud tripwires. And few topics so reliably generate discussion on crime forums around this time of year as tax return fraud, as we’ll see in the conversations highlighted in this post.

File 'em Before the Bad Guys Can

File ’em Before the Bad Guys Can

As several stories these past few months have noted, those involved in tax refund fraud shifted more of their activities away from the Internal Revenue Service and toward state tax filings. This shift is broadly reflected in discussions on several fraud forums from 2014, in which members lament the apparent introduction of new fraud “filters” by the IRS that reportedly made perpetrating this crime at the federal level more challenging for some scammers.

One outspoken and unrepentant tax fraudster — a ne’er-do-well using the screen name “Peleus” — reported that he had far more luck filing phony returns at the state level last year. Peleus posted the following experience to a popular fraud forum in February 2014:

“Just wanted to share a bit of my results to see if everyone is doing so bad or it just me…Federal this year has been a pain in the ass. I have about 35 applications made for federal with only 2 paid refunds…I started early in January (15-20) on TT [TurboTax] and HR [H&R Block] and made about 35 applications on Federal and State..My stats are as follows:

Federal: 35 applications (less than 10% approval rate) – average per return $2500

State: 35 apps – 15 approved (average per return $1600). State works just as great as last year, their approval rate is nearly 50% and processing time no more than 10 – 12 days.

I know that the IRS has new check filters this year but federals suck big time this year, i only got 2 refunds approved from 35 applications …all my federals are between $2300 – $2600 which is the average refund amount in the US so i wouldn’t raise any flags…I also put a small yearly salary like 25-30k….All this precautions and my results still suck big time compared to last year when i had like 30%- 35% approval rate …what the fuck changed this year? Do they check the EIN from last year’s return so you need his real employer information?”

A seasoned tax return fraudster discusses strategy.

A seasoned tax return fraudster discusses strategy.

Several seasoned members of this fraud forum responded that the IRS had indeed become more strict in validating whether the W2 information supplied by the filer had the proper Employer Identification Number (EIN), a unique tax ID number assigned to each company. The fraudsters then proceeded to discuss various ways to mine social networking sites like LinkedIn for victims’ employer information.


A sidebar is probably in order here. EINs are not exactly state secrets. Public companies publish their EINs on the first page of their annual 10-K filings with the Securities and Exchange Commission. Still, EINs for millions of small companies here in the United States are not so easy to find, and many small business owners probably treat this information as confidential.

Nevertheless, a number of organizations specialize in selling access to EINs. One of the biggest is Dun & Bradstreet, which, as I detailed in a 2013 exposé, Data Broker Giants Hacked by ID Theft Service, was compromised for six months by a service selling Social Security numbers and other data to identity thieves like Peleus.

Last year, I heard from a source close to the investigation into the Dun & Bradstreet breach who said the thieves responsible made off with more than six million EINs. In December 2014, I asked Dun &Bradstreet about the veracity of this claim, and received a blanket statement that did not address the six million figure, but stressed that EINs are not personally identifiable information and are available to the public.


By May of 2014, Peleus reported that he’d more or less worked out the best ways to avoid the IRS’s fraud filters, and was finding great success at the state level. The key, he said, was having the bogus refund sent to a unique prepaid debit card account for each filing. In this case, he found success with Green Dot — a widely-used prepaid card.

“The season is over, and my stats improved A LOT once I used one Greendot for one refund, instead of 1 checking account for 10 refunds,” he wrote.

The prepaid card industry has been an indispensable tool of tax fraudsters for several years, and remains one of the favorite means of cashing out phony refunds — as well as the proceeds from a broad range of other cybercrime activity.

At a March 12, 2015 hearing on the tax refund fraud epidemic, Utah State Tax Commission Chairman John Valentine told the U.S. Senate Finance Committee that all of the suspicious returns it has seen so far this year had the direct deposit information changed from the previous year’s bank account to prepaid debit cards — often Green Dot brand debit cards.

Once the funds are transferred to such cards, they cannot easily be traced or recovered, a perfect vehicle to commit fraud,” Valentine told the panel. “Prepaid debit cards appear to be preferable to fraudsters because the identity thief doesn’t have to bother with banks, credit unions or check-cashing stores that may become suspicious when one person starts bringing in multiple tax refund checks to be cashed or deposited.”

Valentine said one problem his state ran into when trying to isolate filings involving prepaid cards was that there is currently no uniformity in numbering that distinguishes traditional checking and savings accounts from prepaid debit cards.

“For example, a prepaid reloadable debit card sold by Green Dot appears to be linked to a bank account even though the debit card had no actual checking or savings account associated with it,” he said in his prepared remarks (PDF). “A simple fix would be to require a different series, letter or additional numbers to distinguish these cards from cards connected to bank or credit union checking and savings accounts.”


Judging from his fraud forum postings, our tax scammer Peleus was having more luck filing bogus refund requests with both the IRS and the states in this year’s tax season, which appears to have started in mid- to late January for phony filers.

Peleus’ 2015 tax tips for fellow fraudsters center around which payment instruments and banks to use and which to avoid like the plague. Peleus said prepaids are great, but getting your phony refunds deposited in a Suntrust account remains the safest option, while certain banks — particularly Wells Fargo — are to be avoided like the plague.

“Wells Fargo is old news and sucks big time,” Peleus wrote in a January 14, 2015 post. “It is one of the strictest banks and I do not recommend it. Try and get Suntrust. If Suntrust works like last year, you should have 5-7 refunds per account easy. They don’t seem to give a fuck.”

Peleus and other fraudsters continue to report strong success filing phony tax refund requests through TurboTax, the largest of the online tax preparation services — with nearly 30 million customers. Peleus urges like-minded crooks to consider asking TurboTax to credit the fraudulent refund amount as an Amazon gift code, which is apparently all the rage this year:

“You don’t even need your own bank accounts, you can use company checking accounts from Google or checking accounts from your older spam,” Peleus enthuses. “Basically, you need just an email to receive the Amazon code. Sure, it’s hard to sell it on eBay or Craigslist, but it works and they never get blocked, so it’s safe money.”

[In case you missed my recent series on how lax security and adherence to “know-your-customer” basics at TurboTax has contributed to the tax fraud epidemic, check out these stories.]

While the states and the IRS are becoming more vigilant about filtering out phony refund requests, the fraudsters are clearly responding by upping the volume of bogus filings. At least, that’s according to our virtual Virgil of the tax underworld:

“People, the secret still stays in numbers, so file as many applications as you can,” Peleus advises his fraudster friends. “No matter how accurate your tax info is, if you fly under the radar with small refunds (e.g. the average US refund was $2400 last year) you will be making money. Stop asking for $9k per refund you should make 3 of 3k, more refunds is better. Next year it will be harder I am sure, but we will all be smarter and fewer.”


Given the amount of cyber fraud that is committed with the help of the anonymity afforded to prepaid card users,  the Utah State Tax Commissioner’s suggestion about requiring a unique identifier for prepaid card account numbers seems like a sound one. Certainly, the prepaid card and tax preparation industries can up their game. As I’ve noted in previous stories, both industries probably need more encouragement from federal lawmakers and/or regulators to proactively institute more robust and effective “know-your-customer” policies.

Even so, tax refund fraud is a complex problem, with many core weaknesses contributing to the overall epidemic. Not least of which is that the IRS is required to process refund requests within a very short period of receiving the filing. Very often, the IRS has to make this decision even before companies finish sending out W2 information.

In an August 2014 report to Congress on the tax refund fraud epidemic, the Government Accountability Office said that for 2014, the IRS informed taxpayers that it would generally issue refunds in less than 21 days after receiving a tax return — primarily because the IRS is required by law to pay interest if it takes longer than 45 days after the due date of the return to issue a refund.

According to a January 2015 GAO report (PDF), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013.  Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

Further reading:

What Tax Fraud Victims Can Do.

All KrebsOnSecurity stories about tax refund fraud.

Update, Mar. 26, 4:56 p.m. ET: A previous version of this story incorrectly stated that Green Dot was managed by GE Money Bank. The latter sold part of its pre-praid business (Wal-Mart Money Card) to Green Dot back in 2013.

41 thoughts on “Tax Fraud Advice, Straight from the Scammers

  1. packerman1975


    A colleague of mine recently received in the mail a Green Dot card. Her investigation revealed that she was the victim of a fraudulent tax return filed in her name. How does the scam work sending a Green Dot card to the victim’s address? Do they simply wait and hope the victim activates the card, and then they drain the card remotely?

    Thanks for your hard work!

    1. Jamie

      That seems like a mistake by a fraudster. I’d think the typical way to do it would be to buy a prepaid debit card at a brick & mortar POS location, using cash. Then direct funds to that card since they have possession of it.

      I’m glad the IRS is getting better at detecting fraud, but the billions of dollars getting through is still staggering. I hope they open up their Electronic Filing PIN for anyone’s voluntary use next year. At least that way I could feel like I was doing my part in this battle.

        1. Braben

          The E-Filing PIN provides no more protection against ID theft than using the previous year’s AGI, since the ID thief can easily get it from the web site you linked using information that is required anyway for filing the fraudulent return.

          You are probably thinking of the ID theft protection PIN, which is a different PIN. It is still only available to ID theft victims, unless you live in one of the few states where they are running a pilot project:

      1. Bill

        I remember in the early days of electronic filing, the IRS sent via USPS mail a PIN (6 digits IIRC) that you needed to use to sign your return.

        Now a fraudster can enter any rnadom number and that counts as your “signature.” Whiskey Tango Foxtrot??

        1. Jamie

          Yeah, that “self selected PIN” never made any sense to me. The Electronic Filing PIN is different, since it has to match the value recorded on IRS’s side in order for the tax return to be successfully filed and processed.

    2. buddhalite

      Same exact thing happened to my parents this year. They got a card from Green Dot and a week later found a refund had processed for one of them. I’ll have to check to see if they still have the card and have them check the balance.

      1. justme

        The thing is greendot does address verification so fraudster has to send to the real owner’s address and hope that the owner doesnt activate (Which of course wont happen, the owner never activates). He then goes ahead to spend the temp card at big box stores to buy apple items. Thats why you get those in the mail.

        1. nonegiven

          If they activate and transfer the balance to their bank account, can they recover the money or will it already be gone?

  2. Rob

    Fascinating material. Thank you for posting this!

  3. nicole armand

    On the use of debit cards for tax returns, for SS monthly checks; ect., the government knows they are very susceptible to fraud but they still insist on using them. It just doesn’t make any logical sense. They tried to force me to sign up for one but I repeatedly refused and they finally left me alone. I knew trying to get reimbursed for a stolen debit card could only be an experience of utter frustration.

  4. nov

    I don’t know: Suntrust may be in breach of federal “know-your-customer” policies, under newer anti-terriorism rules since 2000.

  5. BC

    In order to find out if someone had fraudulently obtained a STATE tax refund in your name, would that require you to check with all states (who have an income tax) individually or is that info obtainable in some central location (such as from the IRS)?

  6. Brian

    I think the state and federal governments should establish a fine for fraudulently filed returns. If TurboTax and the like had a disincentive to allow fraudulent returns to be filed (a fine for each fraudulent return they e-file), they would be more willing to make investments in fraud prevention. Today, they have very little incentive to increase security.

    The suggestion to improve the security at the bank transfer level is valid, but why only invest in securing the back door, when the front door is wide open?

    1. jim

      But, who would be liable for the fine on the filing? The mom and pop who filed or do you mean, the business who processed the transaction? Or the fraudelant bad guy, who never gets caught? The bad guys seem to hide so effectively under the limit of it costs too much to prosecute them, that its not worth it, but they ruin the lives of so many, so it would be up to mom and pop to pay the fine, unfortunately.

  7. Bart

    Doesn’t filing via snail mail with paper forms avoid all this?

    They aren’t creating bogus 1099s and so forth, are they?

    1. TErickson

      Bart – It’s not about how you file as it has no affect, the fraudsters are filing for you and convincing the IRS/State they are legit, getting the bogus return as the numbers they file are made up and run. Then you have to unravel the mess they make when you try to file for real. The only real defense for us is to try and beat them to the punch and file first.

      1. Rick Blaine

        Just make sure you OWE the IRS money each year. Let the crooks pay the IRS if they choose to do so which they won’t.

        1. timeless

          It doesn’t work this way.

          The crooks self report your income, and withholding, and deductibles. — all imaginary.

          The IRS won’t receive / correlate your employer reported pay until long after they were obligated to send out the refund. The IRS doesn’t seem to do much correlation between your previous years filing and your current filing either. (Unfortunately, you aren’t required to have the same employment details year after year, so they can’t use that as a check, and most other details are either public domain or leaked five times this year.)

          Well, at least that’s what historical fraud indicates.

          This year, it sounds like the fraudsters are having more success with similar scams against individual states’ IRS analogs.

    2. kelly

      The IRS does not have the resources to process all paper tax returns anymore. Service centers were downsized due to the increase in streamline e filing. The IRS should increase the time for processing so that they can verify income from w-2’s before sending refunds.

  8. TurboTax Fraud Victim #4482

    Brian Krebs: American Hero.

  9. Rick Blaine

    Another way to skin the cat is to make as best you can to OWE the IRS money at the end of the year (short of under with holding and penalties therefrom), thus avoiding the refund check altogether.

    A lot of people would not like the idea of owing money but this way you use your money all year until the IRS wants some of it.

    Agree with Bart, use a stamp to file if possible especially with sizable refunds.

    1. Tomi Olivia

      As others have indicated in previous posts, what you’re *supposed* to get back is of no consequence. The numbers entered are bogus. There is no (or very little) cross-referencing being done by state and/or feds. The return amount is fictitious. The refund amount is NOT.

      1. Bob Brown

        But, if you aren’t supposed to get anything back. then you don’t have to battle the IRS to get your own money back from them. file your return, pay the small amount you owe, and you’re done! Getting the bogus refund back is the IRS’s problem, not yours.

        1. Braben

          It’s not that simple since the IRS will reject your tax return if a fraudulent one has already been filed under your SSN. So you still have the hassle of rectifying the situation (proving that you are you etc.).

  10. Tomi Olivia

    My heart goes out to Peleus. A couple of evening’s worth of filing, and they only made ~$30K. Pretty soon, it’ll be more economical for them to get a real job (yeah, right).

  11. Mike

    Straight from the Scammers?

    as opposed to the scammers that create and maintain the tax system in the first place

    Who watches the watchers?

    1. Rick

      The ones who vote them in. The thieves just need to be exiled to Siberia.

    2. Link

      I agree with you completely. The IRS and all those that cooperate with it are scammers of the highest degree. These thieves are stealing stolen monies. It is not now, nor has it ever been a legitimate entity.

      Now don’t get me wrong, all the poor people of this once great land that are sucked into filing and having their funds stolen should not be further wronged by these hackers. We play their illegal game and they don’t even have the time to protect us? Go figure.

  12. Bruce Hobbs

    As a small business owner, I try to keep my EIN (nine digits like a SSN but in the form 00-0000000) secret similar to the way I try to keep my checking account number secret. I just did a Google search on EIN numbers similar to mine but didn’t get any hits.

  13. mbi

    I find it disingenuous of Dun & Bradstreet regarding EIN numbers. Its one thing to go searching for an EIN quite another for a company like D&B aggregating them for the use of crooks. Public information when aggregated should also be give additional security hurdles t0 get in bulk. They should get the same protections as other sensitive information and hackers.

  14. Pat Suwalski

    How the heck are the refunds so high? If the average federal refund is $2400 and the average state refund is $1600, that’s about $4000 in refunds.

    Here in Canada, you’d have to put in a metric boatload of money into registered retirement plans or other delayed-tax mechanisms. I would estimate at least $20K over the year for a $4K return.

    And that’s just the average? Does everyone get significantly source over-deducted?

    1. kelly

      It is the social welfare programs, that the IRS is force to manage, that result in refundable credits and equal big refunds.

      1. EstherD

        Can you support that with hard evidence, or are you merely regurgitating the usual conservative talk radio twaddle?

        Even if your statement is true, refundable tax credits probably have little, if anything, to do with the matter at hand, namely tax return fraud, especially at the state level.

        Remember that ALL of the income data the perps enter on the fraudulent returns are COMPLETELY FABRICATED. Claiming ANY of the common refundable tax credits, e.g. Earned Income Credit (EIC), Child Tax Credit (CTC), American Educational Opportunity Credit (AOC), on a fraudulent return would require a LOT MORE messing around in order to get the numbers to come out right and obtain a reasonable result. Moreover, EXTRA data would be required in many cases, such as a valid SSN for any dependents claimed (EIN and CTC), and a plausible 1098T for AOC.

        Much faster and easier for the perps to cobble up a W-2 that shows a substantial overpayment, claim that as a refund a 1040EZ, and DONE. Even more so for state returns, which typically offer fewer (and smaller) refundable tax credits than federal returns.

        1. ShaunM

          The tax credits from alternative sources are going to get attacked because the simple 1040EZ stuff is something that every scammer is going to try on a first go round, and the IRS internal security team knows it. But validating obscure farm credits probably hasn’t gotten as much attention.

  15. Lee Phillips

    Hah! Didn’t scam me for a refund, even though I used Turbo Tax. Peleus didn’t like my bank either (Wells Fargo). Nevertheless, I remain vigilant for these scumbags. No state income tax in Florida.

  16. Chuck Phipps

    The technology exists to defeat these thieves and it would be extremely cost-effective to implement. The real obstacle is that the IRS is underfunded and not allowed by Congress to change its antiquated rules.

    If the IRS would use even rudimentary KYC procedures, like all banks and prepaid issuers must use for account-openings, the majority of fraudulent refunds would never be sent out. If they used ALL the KYC procedures available and matched against their own historic data, practically 100% of tax refund fraud would be eliminated.

  17. Tammy

    The best way to prevent tax fraud is to do away with the IRS and let everyone start paying their own share through sales tax.

  18. Casey

    The ones saying beat them to the punch and file early or make sure you owe them money is no protection unless things have really have changed. I got audited because someone filed amended returns to and claimed “business expences” for the previous 3 years taking my income to 0, and in one year, which tiggered the audit, took 57k in deductions on 54k in income. These were from stolen retuns from an accountant I used. In some of the returns to bump up the returns the base numbers did not even match the originals.

    I would think that numbers made up on he fly could do the same thing

Comments are closed.