When identity thieves filed a phony $7,700 tax refund request in the name of Joe Garrett, Alabama’s deputy tax commissioner, they didn’t get all of the money they requested. A portion of the cash went to more than a half dozen U.S. companies that each grab a slice of the fraudulent refund, including banks, payment processing firms, tax preparation companies and e-commerce giants.
When tax scammers file a fraudulent refund request, they usually take advantage of a process called a refund transfer. That allows the third party firm that helped prepare and process the return for filing (e.g. TurboTax) to get paid for their services by deducting the amount of their fee from the refund. Effectively, this lets identity thieves avoid paying a dime to TurboTax or other providers for processing the return.
In Garrett’s case, as with no doubt countless other fraudulent returns filed this year, the thieves requested that the return be deposited into a prepaid debit card account, which they could then use as a regular debit card to pay for goods and services, and/or use at ATMs to withdraw the ill-gotten gains in cash.
What’s more, the crooks asked the government to deposit $2,000 of the $7,700 they applied for in his name to an Amazon gift card ($2,000 is the maximum allowed under the Amazon gift card program). This is just another way for thieves to hedge their bets in case the debit card to which the majority of the stolen funds gets canceled.
“There are so many people making money off of electronic transfer of funds, it’s ridiculous,” said Julie Magee, Garrett’s boss and commissioner of Alabama’s Department of Revenue. “Five different financial institutions touched the fraudulent refund they filed in Joe’s name before it went to the thieves.”
Garrett explained that his refund went from the U.S. Treasury to an account at Sunrise Banks of St. Paul, Minn. controlled by Santa Barbara Tax Products Group (TPG), which is a subsidiary of Greendot — the world’s largest prepaid card issuer (the other bank authorized to handle refund transfers is Citizens Banking Company of Sandusky, OH).
As TPG explains on its site, the company is integrated as the tax refund processing and settlement engine for 4 out of the 6 leading consumer online and in-person tax preparation companies. Additionally, TPG’s services are integrated into the offerings of the nation’s leading tax software companies, which, together, enable TPG to serve nearly 25,000 independent tax preparers and accountants nationwide. In the most recent tax season, TPG processed approximately $32 billion in tax refunds on behalf of approximately 11 million U.S. tax filers.
When the money was deposited into the Sunrise account, TPG extracted three fees: $35 for handling the federal refund, $10 for state refunds and $10 fee for TurboTax (since thieves had used TurboTax to fraudulently file his request.
Another $2,000 from the refund was diverted to an Amazon gift card. For thieves, diverting some of the funds to Amazon hedges their bets in case somehow the prepaid card that receives the bulk of the funds gets canceled by authorities cracking down on tax return fraud. These gift cards also are easily resold for cash.
“For Amazon, it guarantees a flow of future purchases in the Amazon system, and potentially generates more profit as consumers often forget to use all the value on their gift cards,” Garrett said.
The prepaid debit card which thieves used to receive most of the phony refund filed in Garrett’s name is operated by Rush Card and JPM Chase Bank. Rush Card charges a one-time card fee of between $3.95 – $9.95, and on a monthly fee ranging from $5.95 – $7.95. Each time the thieves went to an ATM to pull out cash from the card, Rush Card charged an additional $1 fee.
So, tax refund fraud is clearly lucrative for a great many companies. But how long before Congress or states turn this cash cow out to pasture? Joe Garrett’s boss — Alabama’s Revenue Department Commissioner Julie Magee — said she’s not holding her breath.
“This is a bit like regulatory whack a mole, and very difficult to track down who’s getting what,” she said. “This has been driver of why it’s so lucrative; Because it shifts so easy for thieves to get the money off the card as soon as it hits the account.”
This story was published as a complement to another piece on tax fraud, available here. Stay tuned later this week for an interview with another state tax official on ways to crack down on tax refund fraud.
Amazon was also adding an additional 10% of the refund amount to their gift cards this Spring – to entice tax software users to apply refunds to an Amazon gift card.
A minor detail: Amazon doesn’t (or didn’t) limit the amount used for an Amazon gift card to $2,000. I got an Amazon gift card for more than that from my refund this year. Plus, they added 10% so that if you used $100 of your refund for an Amazon gift card, the gift card value was $110. That’s what makes it attractive to taxpayers, especially those who regularly shop on Amazon.
In Canada there is very little of this type of fraud. We get our refunds by cheque or direct deposit to our bank account – that’s it.
Eliminate the prepaid debit cards and gift cards and most of your problem will be dealt with. If a citizen cannot take a direct deposit to their bank account, they can cash a cheque in their own name.
It’s as if they want fraud to continue.
Unfortunately, that wouldn’t fix the situation. These “pre-paid” debits cards can be directly deposited to, just as a bank. They each have their own routing and account numbers.
Surely it wouldn’t be a bank account in the taxpayer’s name, though – or would it?
The idea behind the debit cards is to enable people who can’t afford checking accounts to get their refunds. I’m not sure why every FDIC insured bank wouldn’t cash a refund check for free, but they won’t, I guess?
Tax refund fraud could be virtually eliminated if Congress mandated (and provided the funding) for the IRS to 1) Apply the same identity and address verifications that banks are required to use; 2) Apply two-party authentication of filed returns before remitting refunds; 3) Implement data matching by SSN, address, and past activity; and 4) Use data analytics with machine learning to catch fraudulent patterns. All of this is basic technology that is readily and commercially available today.
No legitimate players in the tax prep, prepaid, or banking industries want to abet fraud, and all have bent over backwards to mitigate it. But the problem is that the laws that govern the IRS make it too easy to steal from the Treasury, and Congressional action is the only way to fix it.
I’m curious… is that 77,000 number a misprint, or did they really get away with that much money?
It’s just unbelievable to me. It really is.
Obviously, I didn’t catch the part where you mentioned, $7,700 a few paragraphs later.
Anyway. Still. That’s a lot of money 😛
Simple way to stop these fraudulent tax filings. Make the processor 100% liable for identity fraud. Suddenly they’ll beef up what they require for filers to supply.
The IRS needs to stop this by only allowing refunds into bank accounts either savings or checking.
And if you can’t afford a checking account, you’re not allowed to receive your refund?
I think this system could be helped if banks would cash the checks for free even if the payee didn’t have an account there.
It’s 2015, bank account’s are not that expensive. And else, yes, just accept the fee for caching the check. No need to hold a nation hostage because some people don’t have bank accounts.
These people will be caching their paychecks (or disability/unemployment/retirement/customer payments when selfemployed/etc) as well for a fee, so why would this check be different?
Since it’s the government that has the money (that you only gave them grudgingly), they should operate refund centers. If you don’t have bank accounts, you go to a refund center. They ID you, photograph you and record your fingerprints, then you get the money in cash. If it turns out to be fraud, they are well on their way to arrest you.
Yes, i find it hard to believe that reverting to only mailing paper checks could result in more expense and inconvenience than result by allowing thieves to direct electronic payments. The mailing address seems like one of the things they should be checking anyway, so it’d seem like the thieves would have to be staking out mailboxes, waiting for checks to be delivered to the rightful recipients, in order to intercept them, which seems a lot harder work than money-muling
Of course, i could be wrong, as i’ve never undertaken to send out a few dozen million checks via US mail
This happened to me this year. At first I thought it was turbo tax. Now I think it was when th irs was hacked. They tried to efile multiple times on 2/14 and were rejected. They then filed on 2/17 and it was accepted. I filed on 2/21 and found out it was already filed. Nothing the irs could do. They already paid my refund out. I am still waiting for my refund.
I’m sorry, this happened to my parents as well. They’re retired and it’s been a real hardship. They filed in late January but the scammer filed in early January. They still don’t have their refund.
No intentions on making this political, and I have very little insight into this proposal, but cut everyone out with a flat tax or something similar. With very few refunds all this BS goes away. I despise doing my taxes and wait till the last minute every year even when I know I am getting a large refund. This makes me more vulnerable to these asses that steal refunds. Even though I am not a person who would use all these “conveniences” like putting it on a debit card etc, I still feed the beast because I pay someone to do my taxes, I lose interest and dividends because I fear putting in less and having to pay later. When I did my own taxes I had to pay turbo tax. One year I had quite a mess on my hands when the company that does our payroll screwed up my w2 and I filed not knowing. I would rather just pay a set percentage and never get anything back again. In the long run the saved time and money would add up to something quite considerable I am sure.
Or how about no income taxes under $100k, would work just as well and not stick the poor with an oversized burden they already can’t afford. Double the taxes over 10 million a year and triple capital gains and we might even get rid of the national debt.
Heh. If only.
We could take ALL the income and ALL the wealth of the top 10%… and it would hardly touch the debt.
The problem is way bigger than that.
Everyone needs to contribute. Plus, we need to greatly reduce the mandatory benefits that go out. We simply can’t afford hundreds of trillions of dollars worth of benefits.
Today: the gov’t already owes more than $50,000 on behalf of every single person in the US including babies. And they already are committed to spending another $250,000+ on your behalf… MORE than any amount in taxes they anticipate collecting. (That’s the meaning of “unfunded liability” — they have promised to pay but have no idea how to collect it.)
Let that sink in for a bit… How do you plan to pay your current $50,000 debt, let alone the $250,000 future debt on your behalf?
My question about all of this is – we see some rather hefty refunds in the articles Brian’s writes, as well as in other articles out in the wild.
One would think the IRS would have a clue on how to stop most of these in their tracks.
If a refund amount is significantly above the previous year(s) amount, it should have a minor flag. If the address has changed in the last year, it should pop up an additional flag. If method of payment and/or contact information has changed, then….well, you get the idea.
Unfortunately, we don’t get to see the inner workings of the IRS fraud department and how they work. I am sure in order for a crook to be caught with the goods, they have to finish the illegal transactions and use some of the money thats involved in order to be prosecuted. Thats a shame, since allowing this to happen creates a ton of paperwork to be filed, and then the victims’ PII/IRS data needs to get straightened out.
Electronic deposit information should be locked to one account, and in order to change it, you need a one time PIN that arrives at your address of record. These PINS are in those privacy envelopes with tear tabs. They are electronically produced, and it can significantly reduce the amount of people who handle these, and may wish to do something nefarious with them. Want to change your address of record…guess what, same thing, a new PIN is generated and mailed to your house and then you can make the necessary changes just to that particular area in your IRS account. if you need to make a massive change to your IRS account, it requires the person to call in and make changes after receiving a PIN card in the mail.
This would thwart most issues with the hijacking of IRS accounts, but, it doesn’t fix the rash of insider threats that have been found in the IRS.
Nothing is perfect, but the old ways of handling information has to change to negate any sort of repeat offenses. Making the bad guys jump through hoops and they will probably find another means of fraud to do.
The IRS and Feds have been cracking down alot on income tax fraud, but there are a lot of people out there that want to risk it all for a small pot of gold. Over time, these glaring issues usually get seen, and it eventually will catch up with them.
I don’t understand the thinking process behind all of this. If a single person is caught and they know information on others, any communication type device will probably be under the microscope. if thats not enough, the sole person will take the fall for some crook who alerted the Feds since they were out of bounds on a refund, or sent too many refunds to the same post office box or street address, and they get
arrested. Alot of them quickly sober up when they face all the charges solo, and may wish to strike a deal – or are forced into one. Eventually most people in the ring are rounded up. They go from a very temporary high life to orange and bars. They do probation or time and thus are branded untrustworthy. The best job they will probably ever manage is flipping burgers for the rest of their life. BUT, they get out of jail, having had a taste of that easy money and guess what, they probably won’t be flipping burgers for a living. They made revert right back to what they were doing just prior to their arrest. This time they may be a little bit smarter on how they cover their tracks and who they involve.
Changing the process will make the process hard for the crooks, and a mild inconvenience for the consumers that require change. In the end, they can wit 3-4 days to make a mild change and jump through hoops, or 3-4+ months and a wad of paperwork to mop up a PII incident.
Though the PIN strategy may not be the best answer, , something has to be put in place to keep the all-inclusive online changes from happening.
Is Greendot really still not matching ACH deposit metadata to the card account name? All the other prepaid cards started doing this years ago, including Rush Card, so the thieves couldn’t send dozens of refunds to a single card anymore. Forcing the thieves to get a new card for each refund, so the card name matches the refund name, makes the fraud a lot less profitable and more risky, because the thieves have to buy a new physical mailing address for every single prepaid card.
Shame on Greendot if they still aren’t doing this basic security check. The IRS already sends all the necessary information in the ACH transaction itself.
Our ATMs were used as a payout terminal to a group of crooks. They used other-bank prepaid debit cards, which does generate fee income for us. Called the banks the cards were drawn on, most would not talk to me. Those that did ended up just being one stop in the chain of transactions transferring the money from card to card to make it untraceable. Worked with the Police, but with no one that had suffered a loss to come forward, there was no legal steps for them to take against the individuals. They knew every one of the people at the ATM, and their addresses, but nothing they could do besides knock on the door and ask them to stop it.
EMV cards may help slow this type of fraud down, but they will figure out ways to keep doing it, such as tax return fraud.
It is truly amazing that we allow direct deposit to a prepaid card. We are just asking to be defrauded.
Anyone can afford a checking or a savings account. They are practically free.
Banks have more regulations to follow than the IRS does – and the government loves to hold the banks feet to the fire for the smallest of infractions – even if unintentional.
Direct deposit to checking and savings only!
http://krebsonsecurity.com/2015/06/phony-tax-refunds-a-cash-cow-for-everyone/comment-page-1/#comment-382754
Prepaid debit cards are often not named accounts and hence can easily be distinquised from normal (“real”) ones by the banks/companies handling these transactions.
Now they can be names in some cases, but in that case the issuing company will ask you for additional data. That may in some cases be no issue for a crook considering he has enough data for tax fraude, except:
– some of these companies ask for drivers licenses etc.
– crook will have to open a unique debit cards for each fraud.
– these prepaid debit card companies will smell something is fishy when multiple accounts under multiple names are opened on single or very limited addresses.
– protections like credit monitoring, SSN locsk or fraud alerts will make life harder for these crooks as these accounts often are ‘part of the system’.
– these prepaid dedit card companies will be much more visible as co-operating with crooks if they allow the names (as opposed to unnamed) prepaid cards to be used in mass for tax fraud and generally despite popular believe don’t like that too much as that will put them under legal investigations.
So no, restricting prepaid debit cards and gift cards does help.
As I write this I am watching the “breaking news” on CNN reporting that PII on 4,000,000 federal employees has now been stolen from the federal Office of Personnel Management. The thinking at this time is that the bad actors are from China. Both of my children will be affected, so my family has some skin in this game.
What would be the down side to requiring that all social security numbers be cancelled and reissued to all Americans? The up side is obviously that the SSN’s are being used now as a data match point somewhere for identity info. and reissuing the numbers would negate the utility of fraudsters using the old numbers for new uses such as opening bank accounts or applying for loans or credit. The hacker data files brick. Another up side is that by starting over, the government could more tightly regulate how the numbers are used, and limit that use to banks, investment firms, employers and the IRS, as it should be now.
The primary down side would be that there would be a certain amount of chaos as people got their new numbers, but if the new numbers were submitted already to the banks, employers, etc., that people documented 1099s and W2s from in the last tax year, that would help the average citizen make the transition. (If a person skipped filing their taxes, they deserve a little bit of grief, IMO.) The appropriate banks would be sent secure correspondence indicating that SSN 123456789 is now 234567890, for example, and hopefully that master list of changes will be kept on secure servers which are completely unplugged from the internet. The banks will have to change their match points, but that can be done because they’ll have the key. If a legitimate financial institution or employer is NOT notified by the government of the change, individuals will have to provide the new number as requested.
Am I way out in left field here, or could this work? What are the other factors that speak against this solution? It’s understood that it will be a massive headache to notify Americans of their new numbers, but there is probably a workaround which might even include setting up temporary offices in banks or libraries where people show up to get their numbers provided, after proof of identity is submitted to a (gulp) live human being. If we do nothing but wail and gnash our teeth nothing will be accomplished.
I have been saying for some time that our inattention to security is bound to lead to an economic Armageddon. I hope I’m wrong but there’s smoke on the horizon.
This isn’t so bad as it seems. It is nearly impossible to pull of nowadays there are so many checks, verifications, and security alerts…. Almost impossible to pull off.
Yup, I’ve tried it. Socks5, VPNs, SSN’s and correct DOB get you nowhere. It’s a huge amount of effort, guessing the income or call the IRS and pretend? Get the income wrong and it’s off, get the wrong amount for the previous year and it’s off… etc..
This is alarmist.
I tried many many times with no success. Onion darknet sites all claim to have tutorials, but they don’t work. Bottom line is they’ve closed the loopholes massively, making it difficult for even the average citizen to accomplish it, let alone someone else. Most requests to deposit it to a Turbotax card get cancelled according to reports on the darknet. You need the physical check mailed to an address, and who wants to go pick it up in person?
Seriously people, relax. The IRS is overstating the problem. The average to excellent hacker can’t do it. Usually it’s Russian syndicates or an insider at the SSN administration or IRS etc..
you need too much information, including the Efile pin, last years returns (who has that anyway?) real employer, credit report, SAME address as before… etc.
it’s a dead… end… street for most aspiring and experienced hackers.
sorry!