02
Jun 15

States Seek Better Mousetrap to Stop Tax Refund Fraud

With the 2014 tax filing season in the rearview mirror, state tax authorities are struggling to incorporate new approaches to identifying and stopping fraudulent tax refund requests, a $6 billion-a-year problem that’s hit many states particularly hard this year. But some states say they are encountering resistance to those efforts on nearly every front, from Uncle Sam to online tax vendors and from the myriad of financial firms that profit handsomely from processing phony tax refunds.

Cash Cow: Check out this primer on which companies are profiting from tax refund fraud.

Cash Cow: Click on the image above for a primer on how many companies are profiting from tax refund fraud.

Last week, the Internal Revenue Service (IRS) disclosed that thieves had stolen up to $50 million in phony refunds by pulling tax data on more than 100,000 Americans directly from the agency’s own Web site. The thieves were able to do this for the same reason that fraudsters are able to get away with filing and getting paid for bogus refunds: The IRS, the states and the tax preparation firms all try to authenticate filers based on static identifiers about the filer — such as birthdays and Social Security numbers, as well as answers to a handful of easily-guessed or researched “knowledge based-authentication” questions.

I spoke at length with several state tax commissioners about the size and scope of the tax refund fraud problem, and what the IRS and the states are doing to move beyond reliance on static identifiers to authenticate taxpayers. One of the state experts I spoke with was Julie Magee, commissioner of Alabama’s Department of Revenue.

Magee described her work on a new task force organized by the IRS aimed at finding solutions for reducing the tax refund fraud problem across the board. Magee is one of several folks working on a fraud and authentication working group within the IRS’s task force, which is trying to come to a consensus about ways to do a better job authenticating taxpayers and to improve security around online tax preparation services such as TurboTax.

Earlier this year, TurboTax briefly suspended the online filing of state tax returns after dozens of state revenue departments complained about a massive spike in fraudulent refund requests — many of which were tied back to hijacked or fraudulently-created TurboTax accounts.

One of those victimized in that scourge was Joe W. Garrett, — Magee’s deputy commissioner — who had a $7,700 fraudulent return filed in his name after thieves created a duplicate TurboTax account with his personal information.

Magee said her working group — one of three on the IRS’s task force — is populated by stakeholders with competing agendas.

“You have companies like Intuit that don’t want the government getting into the online tax preparation business, and then there are the bricks-and-mortar operations like Liberty and H&R Block that don’t want to see their businesses cannibalized by the do-it-yourself online firms like TurboTax,” Magee said. “And then we have the banking industry, which is making a fortune off of this whole problem. Right now, the only entities that are really losing out are states and the US Treasury.” (For a look at which companies stand to profit from fraudulent refunds, see this sidebar).

In February, KrebsOnSecurity published exclusive interviews with two former TurboTax security professionals who accused TurboTax of making millions of dollars knowingly processing state and federal tax refunds filed by identity thieves. Magee said Intuit — the company that owns TurboTax — came to the first two working group meetings with a plan to provide states with an anti-fraud screening mechanism similar to Apple Pay‘s “green/yellow/red path” program, which seeks to offer participating banks some idea of the relative likelihood that a given new customer is in fact a fraudster signing up in the name of an ID theft victim.

“The first two meetings, Intuit acted like they were leading the charge on this, and they were really amenable to everything,” Magee said. “They had come up with an idea that was very much like the red- yellow-green kind of thing, and they were asking us what data elements they should be looking at and sharing.” greenyellowred

According to the Alabama tax commissioner, that’s when the American Coalition for Taxpayer Rights (ACTR), a trade group representing the tax preparation firms, stepped in. “The lobbyist group put the kibosh on that idea. They basically said it’s not their right to be the police – that it should be the IRS or the states — but that they would be more than willing to send us the indicators and that we could use our own system to do the scoring,” Magee said. “The states aren’t hung up on getting some red, yellow, green type system. I think we’re more interested in making sure data elements we can use to make a score are passed on to us.”

Magee said ACTR also protested that tax prep firms like Intuit couldn’t legally share certain information about their customers with the states and the IRS. Representatives with ACTR did not respond to requests for comment. Intuit declined to be interviewed for this story.

“They threw up a red flag and basically said, ‘We can’t you pass that information because it’s protected by IRS code sections regarding taxpayer confidentiality issues,'” Magee recalled. “Thankfully, the IRS brought in their attorneys and the commissioner a few weeks ago and they said, ‘That’s bunk, you can most certainly send that information to us and to the states. So we won that battle.” So how will Alabama and other states process returns differently next year?

“On a high level, what we’ve determined as of this week is that — unless the lobbyists derail our efforts – we’re going to ask for different authentication measures on a new customer, and different on returning customer, and then we’re going to ask for whole bunch of data elements that we’re not getting now that will allow us to filter the returns on receipt and will allow us to put the returns in various buckets of scores for possible fraud.”

For example, one telltale sign of a fraudulent return is one that takes the filer a very short time to fill out.

“If someone takes two minutes or less to fill out a tax return, that’s pretty much fraud 100 percent of the time, because they’re just cutting and pasting information from somewhere else,”  said Magee’s deputy Garrett. “So we said, okay, send us information about how long it takes them to fill out a return.”

Magee said there are a number of other data elements that the tax preparation firms could share about the way its customers file refund requests that would be helpful in separating legitimate returns from those filed by fraudsters.

“The states and the IRS are really trying to figure out what other data elements about customers is reasonable to ask of the software vendors in terms of helping us screen suspicious returns,” Magee said. “But end of the day, the best thing they can do for us is avoid account takeovers and to authenticate that it’s not a criminal setting up the account, that it’s a legitimate taxpayer.”

Garrett said the states believe they have some power to drive change because the states ultimately get to decide whether or not they accept a tax return filed through an electronic tax preparation firm.

“We get to choose whether or not we accept returns from vendor or not, but we have not exercised that choice in the past,” Garrett said. “What we’re going to do this is say let’s make sure that not only does the return have all the right data filled out in all the right fields, but let’s make sure you doing certain things on customer authentication as well.”

Magee said regardless of what happens with the IRS task force, her state will be requiring more from tax preparation firms in the coming months.

“Every summer we provide software vendors with file format that they must program into their systems, and usually the changes have to do with new laws or new tax structure,” Magee said. “But this year, that’s also going to include security measures. Ultimately, our goal is to deter people from using information on Alabama residents to file fraudulent tax returns. Then we could actually get back to the type of tax administration we’re used to, which is catching plain old tax cheats.”

One final note: The U.S. Senate Homeland Security and Governmental Affairs Committee is set to hold hearings today about the IRS transcript problem mentioned at the top of this piece. When I broke the news about this fraud back in March, I did so by telling the nightmarish story of Michael Kasper, a taxpayer who reached out after discovering he’d been victimized by tax fraud and that someone had pulled his tax transcript after creating an account at the IRS’s site using his personal information. Kasper is set to testify before the committee today. (Update: Watch a recorded version of today’s hearing here).

There’s also been a minor update on Kasper’s tax fraud case. In my original report, I noted that Kasper had tracked down a local woman who’d willingly or unwittingly helped fraudsters funnel the money from Kasper’s fraudulent IRS refund to scammers in Nigeria. That individual, a woman named Isha Sesay, declined my requests for an interview at the time. But on May 29, the Williamsport, Pa. police department posted a notice on their Facebook page about a standing warrant for her arrest: According to Kasper, she is also wanted for helping to funnel refund fraud money from an ID theft victim in South Dakota.

This is significant because these so-called “money mules” so seldom get prosecuted or held accountable for the very critical role that they play in these fraud schemes. UPDATE: A notice posted to the police department’s Facebook page states that Sesay has been arrested.

Tags: , , , , , , , , , , , ,

57 comments

  1. The IRS Hacked by Intuit Employees.
    Intuit QuickBooks for desktop and QB Online are not secure, any hacker can access any sensitive information.
    and this video is the real reason behind Intuit Tax Fraud story.
    https://www.youtube.com/watch?v=BL3BzoAFnKw

  2. This is part of how things are meant to work. When the government at the federal level fails, the government at the state level kicks in. This is happening regarding other areas of American life as well.

    This is an interesting topic to follow because it just might be the determining factor in whether or not we get online voting.

  3. We need a W-2 to file. Employers send in similar to tax agencies. Compare these items electronicly! What else do we need?

    Ole.

    • Not possible under present law. While employers must send W-2s (usually on paper) to employees by the end of January, they have till the end of March to send them to the government electronically. Even worse, they go to Social Security first; the IRS never sees them till well after tax season is over. I agree that is part of the solution, but to do that Congress will have to change the whole W-2 system; that will cost both employers and taxpayers billions, maybe trillions.

  4. as Whitfield Diffie pointed out so well in his testimony for NewEgg v TQP : For network based commerce we need a way to sign digital documents such that the signature can be presented and recognized in public and at the same time can only be produced by the proper owner.

    Fortunately the math for this has already been done and incorporated into a product called Public Key Encryption or “PGP” for short. Available from Symantec as “PGP” in various versions and also open source as the Gnu Privacy Guard or GnuPG . Version 2.1 of GnuPG will be supporting Eliptic Curve technology as well as the earlier prime numbers method

    In PGP we generate both a PUBLIC key and a PRIVATE key. The user keeps the PRIVATE key and uses it to sign or authenticate documents — any sort of documents can be signed.

    The PUBLIC key is required to RECOGNIZE — to prove the validity of — the signatures the user produces using the PRIVATE key. This parallels the older pen&ink method and operates in a digital network environment.

    An important task then is to make sure that the validity — proper owner — of the PUBLIC keys can be confirmed.

    What we need to do is add key verification as a service provided by Credit Unions and Banks. These organizations have to verify identity already as part of their regular processing. These institutions are available to us all in or regular course of business. All we need to do then is to take our PUBLIC key on a thumb drive to the Credit Union — which will then verify it and upload it to the KEYSERVER

    Once that’s done we’re ready to use PGP to authenticate documents of any sort but particularly 1040s and such . eMails too.

    Intuit and HR Block need to incorporate PGP into their tax product as packaged technology for us so it’s easy for everyone to use.

    and the IRS needs to be instructed by Congress to incorporate this into their process: Customers must be allowed to tell the IRS they wish to use PGP to sign their forms. After that the IRS must not accept an un-signed form — or one with a bad signature.

    This isn’t rocket science. Everything to set this up is available .

    Security is a RESPONSIBILITY

    • Umm a thousand people walking into the banks with USB sticks, how much malware is one bank gonna recieve? Two wrongs never make a right.

      ole.

    • This sounds like a great plan, in theory. The practicality of it, though, not so much. Financial institutions are businesses (even credit unions) and also regulated by FDIC/NCUA which insist on risk management. Some do it better than others, but they would look at this plan from a business and a risk standpoint. Asking your customer/member base to bring in a public encryption key on a USB drive is a huge “NOPE” both from a customer service and risk standpoint. It’s too technical for most people; then there is the risk of malware- not just being given to the FI on the USB stick, but many people’s computers are already compromised so the keys would be useless. Then there’s the financial cost- would it really save the FI any money? Doubtful. Maybe for a couple institutions. The money is actually probably better spent helping the customer deal with situations after they arise than preventative measures.

      • > USB Sticks

        Implantable RFID.

        ;p

      • needmorecoffee

        The problem isn’t the cryptography of the system, it’s securing all the endpoints, whether digital or otherwise. At some point, the key gets read; where does the cryptography get done? On a hardwired chip on a reader? What happens when someone makes a cheaper software application? Who enforces that standard?

        The solution in my book is real, real simple.

        Use Cash.

        Problem is, that makes the spine of many bankers tingle in fear. Plus Law enforcement and the tax men love debit and credit cards, it makes it so easy to tell who has purchased what and when, and how much tax they owe, with a simple subpoena.

        The Russians know this, that is why they do what they do. This is a political war.

    • 1. @ole login is right.
      2. Some of us don’t remember our own mother’s birth day. Many of us also can’t remember where we last put our glasses (even when they’re on top of our head).
      3. Many US citizens/residents don’t have banks.
      4. Of those with banks, many don’t have safety deposit boxes — https://www.bostonglobe.com/business/2014/03/08/the-disappearing-allure-safe-deposit-box/HvwkPkvAUtoo8329bZrKsM/story.html — 45% of safe deposit boxes in the country are empty today. Only 6% of bank customers rent a safe deposit box, and 1/3 of those customers are over 65…
      5. 46% of Americans have a passport (that’s way up due to relatively recent US changes to the Canada/Mexico border reentry rules). 18% of Americans 20-24 don’t have a driver’s license. (“Among Americans ages 20 to 24 in 1983, nearly 92 percent had driver’s licenses. Twenty-five years later, it was 82 percent.”) “Twenty-five percent of African-American voting-age citizens have no current government-issued photo ID, compared to eight percent of white voting-age citizens” (dated, 2006). Around 2‰ of the US population is homeless (very rounded, sorry).

      Asking people to retain something that they will use once a year is asking them to lose it.

      There’s a cost involved in any technology. Issuing an ID involves establishing proof that someone is that someone. Then there’s the need for that person to retain that ID. Then you have to deal with the fact that people will lose that ID and need to have it reissued.

      The USA can’t go around tattooing the ID onto people (Germany did that, and people are forever scared by that).

      fwiw, I was issued a national photo ID which was a valid PKI container (the passcode was sent separately) by a small country. I lost the passcode before I received the ID. I never got around to visiting a police station to reset it (and from memory, they could do that, because they realized that such things would happen).

      PGP/GPG is interesting, but it’s really the wrong approach. If you’re going to do this, you might as well use normal PKI — other countries do. But, realize that there are costs involved in all of this.

      • I’d say that all of the corner-case individuals you mention are not likely to file taxes anyway.

    • Intuit and HR Block need to incorporate PGP into their tax product as packaged technology for us so it’s easy for everyone to use.

      and the IRS needs to be instructed by Congress to incorporate this into their process:

      While it is a laudable goal, however the IRS’ budget has been severely cut for the FY2016 which makes it harder for the agency to be proactive.
      I have filed via HR Block and they do provide authentication on two areas: PIN that is accepted by the IRS and prior years’ AGI to be entered before submitting it for processing. Adding that, I use my bank info because I don’t want anything on a prepaid card even though they pushed for it.

  5. The on record w-2, works for the first refund, but is usually good for the first refund, which is Jan 29tth, you and I usually file in Feb/mar, maybe, there should be no refunds paid till after all the returns are processed. Then compared and investigated. Durn, there would go my spring trip to the beaches.

  6. Simple solution – Just don’t start returning refunds until a couple of weeks after returns are due (Apr 15th) – by that point the IRS or state agencies would be able to pinpoint all the duplicates and delay payment on those until they are resolved – this would drive a stake through the heart of this problem for the most part. JMHO…

    It’s a joke this has gone on so long with no resolution.

    • Thank Congress.

      This is because congressional representatives bowed to lobbyists who wanted tax refunds to be done very very fast. So there’s a regulation that requires the IRS to process refunds w/in a certain number of days (and there are penalties on the IRS if they fail).

  7. re: Mike~acker – do you **really** want to trust the big credit reporting agencies with stewardship of your public PGP key? You do know the’ve all been penetrated, right? And KrebsonSecurity documented how Experian sold our personal information to shady characters a couple years ago.

    and re: Sasparilla – don’t send refunds until sometime after April 15. Think that through. What about the family barely able to make it. They file taxes in Feb. and look forward to that refund to catch up on bills. Now they have to wait 1-2 months longer?

    Seems to me, the key is good authentication during submission. And hard-nosed enforcement.

    – Greg Scott

    • do you **really** want to trust the big credit reporting agencies with stewardship of your public PGP key?

      facepalm

      Public keys are public — they’re supposed to be shared with the world. It’s the private keys that you don’t want them to have.

      The use of GnuPG or TLS certificates to authenticate and encrypt sensitive information shared with the IRS is a good idea that should be implemented.

      • While I agree with the premise, it has to be easy enough for Grandma and Grandpa Kettle to be able to do it. As soon as you make a system easy enough for the lowest common denominator, you end up with SS numbers and fraud.

      • You’re missing the point.

        While we don’t have many reports of people performing writes into databases, we have many reports of sites being compromised and running untrusted third party code. Currently there’s sufficient value in merely exflitrating databases as opposed to modifying them in situ.

        Imagine that a reporting agency holds your “official” PGP key. And someone compromises that agency or a linked trusted party and replaces your PGP key. Then they perform a tax refund operation. They could even go back later and restore your key if they felt like it.

        Note that any database that would hold such a directory will need to support write operations, for at least “new people”, “new immigrants”, and “I lost my ID, please give me a new one, thanks”.

    • Here is a better idea. Have the government stop taking taxes out of each paycheck, and like property taxes, send them the exact money owed once or twice a year. Stop letting the government use our money for 13-16 months. If the government wasn’t taking in and using our money before giving it back to us as a ‘refund’, there would be no financial gain to be had by filing fraudulently.

      • If you don’t want the government to “use your money for 13-16 months”, simply use a W-4 to adjust your withholding such that you don’t overpay. The IRS even has a handy calculator for that.

        But of course none of this would solve the problem of fraudulent tax returns, unless to want to prohibit the IRS and local tax authorities from returning overpaid taxes to the tax payer. If you don’t, the crooks will always be able to construct a tax return that results in a refund.

        What is really needed is (1) a secure authentication system for online transactions, (2) a “know your customer” regulation for tax preparation companies, and (3) requiring businesses to file W-2 and 1099 earlier, so the tax authorities have time to verify the data from the tax returns (today businesses are allowed to submit them as late as March 31st).

        As for (1), issuing Identity Protection PINs for everybody would be a good step (it’s currently limited to ID theft victims and tax payers in FL, GA, and DC). In the long run, something like a secure electronic signature is required.

      • Change your withholding so you always owe the state & feds a little money at tax time. Then you get the equivalent of your current refund check spread out over the previous year.

  8. While on the subject of Intuit….

    Post wipe/reload repair, customer asked me to install new version of QB. In this case, the cloud version of QB.

    Ran the CD and clicked “Help” to figure out next step (not intuitive, BTW) and this screen popped up.

    Yes, it’s another version of the tech-support scams going around. But this one has Intuits name on it. Check the Chrome tab. Good job, Intuit.

    https://www.dropbox.com/s/e5upliogj71zq8l/20150507_135850.jpg?dl=0

    (Hopefully Dropbox will allow you to view)

    • > Yes, it’s another version of the tech-support scams going around. …

      Oh wow – I saw something similar just yesterday with a customer having problems with his Yahoo mail. We submitted a community support question and within seconds, several answers came back about calling a similar tech support number. Like a total dork, I even called one of them. Hey Brian – how the tech support scammers glom onto help inquiries might make a good article.

  9. Brian – where is the sidebar mentioned in the article?

  10. I like how the Feds are blaming everyone but themselves. As Brian pointed out in a previous article, the IRS sends refunds via cash cards. They also send multiple refunds to the same account. If you stop the cash card refunds and sending refunds to the same account, it will force the scammers to try other methods. But it would cut down the fraud. If a person has a legimate reason to have multiple refunds go to the same account, they can fill out a form and explain why to the IRS.

    • Unfortunately, the people most likely to want their refunds on cash cards, other than fraudsters, are people who don’t have bank accounts and the bulk of their refund comes from the Earned Income Credit. I hate to think how much a fee a check cashing company would charge for a $4K refund check.

    • For the record the IRS does not issue refund via cash card, they send a check to you. To save time, they suggest using bank information to send you the refund. The fraudster get a card issued so they can put the money in it using the information so it goes to their account rather than the normal bank info.

  11. Quote from article:

    “You have companies like Intuit that don’t want the government getting into the online tax preparation business, and then there are the bricks-and-mortar operations like Liberty and H&R Block that don’t want to see their businesses cannibalized by the do-it-yourself online firms like TurboTax,” Magee said. “And then we have the banking industry, which is making a fortune off of this whole problem.

    I am one of the much “reviled” bankers and I would like to ask Julie Magee how the bank’s are making money off of this problem? We aren’t causing this problem at least not Community Banks which are stuck in the middle as usual.

    • Since no one seems to want to answer you, let me give it a shot. I’m guessing she’s referring to the various transaction fees for withdrawing funds from the cash cards.

  12. So, what would be so hard about using the changed routing number of the depository bank as a trigger to verify? Then validate by comparing the Employer W2 to what is entered on the return. Seems so logical and simple to fix.

    • The IRS doesn’t have *any* employer W-2s till well after April 15. Employers have till March 31 to e-file W-2s, and even then they go to Social Security first; they only flow from SSA to IRS in big batches months later. (Remember, both SSA & IRS still use 1960’s software for a lot of their functions.)

  13. If the tax preparers, Quickbooks etc, were liable for fraudulent returns, you can bet that their validation measures would become effective real fast.

  14. yes should an there way to stop these kind of frauds going to day by day happening and creating bad impact in people livings.

  15. Magee said. “And then we have the banking industry, which is making a fortune off of this whole problem. Right now, the only entities that are really losing out are states and the US Treasury.”

    No Magee you have it wrong… Right now, the only entity that is losing out is the tax payer.

  16. re: RBBRittain
    > The IRS doesn’t have *any* employer W-2s till well after
    > April 15.

    Not so. I’m a one employee company and I have to have W2s done by Jan. 31. Part of the process is sending copies to the state and fed.

    But maybe that points the way to a partial solution. For people who want direct deposit – what about putting in a bank acct. number field on the W2? The tax form bank acct. number needs to match the bank acct. number from the W2 for the direct deposit to happen. I can see an army of programmers working day and night to implement something like that. But the concept might be worth looking into.

    re: stvs
    > Public keys are public — they’re supposed to be shared with
    > the world.

    Good point. Duh! I still don’t trust the credit reporting agencies and I worry they would find a way to mess it up somehow. Is that just me being paranoid? LOL – I just now realized what facepalm means.

  17. Do away with the IRS, go to a flat tax rate and voila’ no more fraudulent returns.

    • I’ll support that.

    • Since the top have the vast majority of all money the flat tax would only have to be 40% on everyone to get enough to matter. Great idea to bankrupt the entire country.

    • It won’t work, there will always be a IRS to catch cheaters filing tax return. Having a flat tax or sales tax would make things far more tough because largely they rest on several assumptions that they explain away. You should read a conservative economist Bruce Bartlet’s take on this.

  18. Simple way to stop these fraudulent tax filings. Make the processor 100% liable for identity fraud. Suddenly they’ll beef up what they require for filers to supply.

    Intuit/Quicken does home loans as well. You’ll never hear about them getting defrauded. No wonder why, it is their own money they would be out if they gave it to a crook.

  19. itsmeitsmeitsddp

    How about a flat tax and eliminate tax filings all together? That would eliminate the need for an irs as big as it is by about 90 percent and companies like intuit and hr block would shrink dramatically. No need for ssn online through the irs anymore so no more attack vector to pull that info by the bad guys. I do understand that there are some downsides but that would eliminate the fraudulent filings completely.

    • A flat tax is very bad for the poor. Roughly 40% of the US pays no Federal Income tax after all deductions. They would in your system.

      Also people with high medical bills or other legitimate tax deductions would lose out.

      Also a flat tax can still result in too much money being witheld. E.g. selfemployed that have to do a refund to a customer or payed too much estimate tax as their profit turned out lower.

      The tax deductions are not the issue. It is that we insist on not using exclusively named checks or deposit in verified bank accounts only, but allow fraudulent systems like debit cards or for crying out loud, Amazon gift cards for tax refunds.

    • A flat tax might simplify filing, but it wouldn’t eliminate it. It wouldn’t eliminate fraud, it would just simplify it.

  20. So the government is fining companies that have security breaches, who fines them government when they have a breach?

  21. The State and Feds should stop sending refunds and send checks instead to the local Post Office. The can send a note to the taxpayer to pick it up with proper ID. The Post Office needs something to do and use the extra revenue. Billions will be saved which means taxpayers don’t have to make up the lose. The Post Office used to deliver checks and its going back to a more secure method. Face it, have we gained much by electronic transfer of refund checks as its turned out to be an expensive and growing cost to do it for little convenience?

  22. The real problem is this: Authenticating with 100% certainty the real-world identity.

    I don’t know what we should do…

    Estonia issued a crypto-based card:
    http://www.economist.com/news/international/21605923-national-identity-scheme-goes-global-estonia-takes-plunge

    South Korea’s attempt at a national ID card has not gone well:

    https://nakedsecurity.sophos.com/2014/10/15/south-korean-id-system-faces-overhauls-following-10-years-of-data-thefts/

    http://calladus.blogspot.com/2010/04/our-new-national-id-card-or-not.html

  23. Folks- You realize the fraudsters are submitting fake W-2 forms also…

    I don’t understand why the IRS gives away last year’s 1040, W-2s, etc.

  24. Let’s make the tax preparer liable for fraud. If an online tax site or software maker is used, make them pay back the government for any fraud. Then they will find a secure and effective method quickly.

    My preference is to allow tax payers to directly send their tax forms to the governments with PGP.

  25. Since the refunds are fraudulent, the government should retrieve all the fees that these income tax processors have gained. Once the corporations realize that they will be losing money then they will make more efforts to authenticate the people who are claiming income tax refunds.
    Maybe there should be an administrative penalty for firms which aid income tax fraud.
    It should not be a big imposition to require government issued ID for people using an income tax firm. The government should be willing to issue photo ID cards cheaply. They do in Ontario.

    • Ontario and ID cards do not mix well. How many old red-and-white health cards are still out there, and more importantly, used fraudulently?

  26. read_and_discuss

    Interesting comments. As someone who formerly worked in area of refund fraud prevention at the state level I am hoping I can shed some light on a few things that don’t seem to be common knowledge to the readers here.

    A few states have already implemented advanced refund fraud programs. These programs prevent fraud by doing some basic things that *really* should be done anyway. Without getting too much into the details they do things like:
    – Check the current year return against last year. This allows you to flag things like additional dependents or (as suggested above) “did their bank account or payment information change?”,etc. Once flagged the return gets manually reviewed or the taxpayer gets sent a letter (more on that later)
    – Check credits and deductions for sanity
    – Validate return information against other state information (drivers license data, wage data, etc)
    – Other behind the scenes checks for data sanity

    If any fraud is detected the taxpayer is first sent a letter. This letter can usually be responded to online. It asks them to answer questions similar to those answered when opening a new line of credit (what cars have you owned, what loans have you taken out and for how much, etc).

    The balance that needs to be struck is between making it too expensive or difficult for fraudsters but still not wildly inconvenient for honest taxpayers.

    The other important thing to note about the above program implemented by a few states is that it is *extremely* flexible. As in: if a department of revenue sees a new trend in fraud or gets a tip from another state they can act and implement a block for it within the week usually. In the case of a data breach at a tax preparer a block can be implemented nearly overnight.

    My point is: good solutions for many types of fraud exist but are not implemented by states yet. Write to your state representatives. Seriously.

    To those individuals suggesting that the state not pay returns until X date, or until X happens: this usually isn’t possible. Not only do even small delays in refunds get taxpayers riled up, but in some cases there is legislation in place that makes departments liable for interest on that refund if it is not given to the taxpayer within a certain timeframe (varies by state). After all: it is the taxpayer’s money that the state is holding (think: interest-free loan from the taxpayer to the state.. angers a lot of people). Typically angry taxpayer voices translate very quickly into action/non-action at agencies that have such a large public facing side like departments of revenue.

    What *would* be fantastic and go a very long way in helping to advance these programs is, as RBBBrittain suggested, to have employers file their W2s before March 31st. Even having just that addition data to validate an incoming return against helps tremendously. A common tactic right now, as many victims of tax fraud find, is for fraudsters to file a return before the actual taxpayer and get their refund first. With no employer W2 data (among other things obviously) this is very tough to fight against and could be prevented in many cases with that simple change imho.

  27. BTW the Credit Freeze also protects you against the IRS Transcript fraud as they use Equifax to validate who you are and since there is a freeze, i was denied registering when this story broke, i tried it…

  28. Reasonable Citizen

    Turbo Tax is a criminal organization headed by a common law criminal.

    As a society, let’s stop supporting the criminals running criminal organizations.

    There should be laws on the book to pass the cost of this massive fraud back to the criminal organizations that facilitate such criminal fraud.

    Once they are bankrupt, we need to pass laws so that criminal acts do not get repeated.

    Let’s kick criminals like Scott Cook to the curb, or better yet, into the jail house.