With the 2014 tax filing season in the rearview mirror, state tax authorities are struggling to incorporate new approaches to identifying and stopping fraudulent tax refund requests, a $6 billion-a-year problem that’s hit many states particularly hard this year. But some states say they are encountering resistance to those efforts on nearly every front, from Uncle Sam to online tax vendors and from the myriad of financial firms that profit handsomely from processing phony tax refunds.
Last week, the Internal Revenue Service (IRS) disclosed that thieves had stolen up to $50 million in phony refunds by pulling tax data on more than 100,000 Americans directly from the agency’s own Web site. The thieves were able to do this for the same reason that fraudsters are able to get away with filing and getting paid for bogus refunds: The IRS, the states and the tax preparation firms all try to authenticate filers based on static identifiers about the filer — such as birthdays and Social Security numbers, as well as answers to a handful of easily-guessed or researched “knowledge based-authentication” questions.
I spoke at length with several state tax commissioners about the size and scope of the tax refund fraud problem, and what the IRS and the states are doing to move beyond reliance on static identifiers to authenticate taxpayers. One of the state experts I spoke with was Julie Magee, commissioner of Alabama’s Department of Revenue.
Magee described her work on a new task force organized by the IRS aimed at finding solutions for reducing the tax refund fraud problem across the board. Magee is one of several folks working on a fraud and authentication working group within the IRS’s task force, which is trying to come to a consensus about ways to do a better job authenticating taxpayers and to improve security around online tax preparation services such as TurboTax.
Earlier this year, TurboTax briefly suspended the online filing of state tax returns after dozens of state revenue departments complained about a massive spike in fraudulent refund requests — many of which were tied back to hijacked or fraudulently-created TurboTax accounts.
One of those victimized in that scourge was Joe W. Garrett, — Magee’s deputy commissioner — who had a $7,700 fraudulent return filed in his name after thieves created a duplicate TurboTax account with his personal information.
Magee said her working group — one of three on the IRS’s task force — is populated by stakeholders with competing agendas.
“You have companies like Intuit that don’t want the government getting into the online tax preparation business, and then there are the bricks-and-mortar operations like Liberty and H&R Block that don’t want to see their businesses cannibalized by the do-it-yourself online firms like TurboTax,” Magee said. “And then we have the banking industry, which is making a fortune off of this whole problem. Right now, the only entities that are really losing out are states and the US Treasury.” (For a look at which companies stand to profit from fraudulent refunds, see this sidebar).
In February, KrebsOnSecurity published exclusive interviews with two former TurboTax security professionals who accused TurboTax of making millions of dollars knowingly processing state and federal tax refunds filed by identity thieves. Magee said Intuit — the company that owns TurboTax — came to the first two working group meetings with a plan to provide states with an anti-fraud screening mechanism similar to Apple Pay‘s “green/yellow/red path” program, which seeks to offer participating banks some idea of the relative likelihood that a given new customer is in fact a fraudster signing up in the name of an ID theft victim.
“The first two meetings, Intuit acted like they were leading the charge on this, and they were really amenable to everything,” Magee said. “They had come up with an idea that was very much like the red- yellow-green kind of thing, and they were asking us what data elements they should be looking at and sharing.”
According to the Alabama tax commissioner, that’s when the American Coalition for Taxpayer Rights (ACTR), a trade group representing the tax preparation firms, stepped in. “The lobbyist group put the kibosh on that idea. They basically said it’s not their right to be the police – that it should be the IRS or the states — but that they would be more than willing to send us the indicators and that we could use our own system to do the scoring,” Magee said. “The states aren’t hung up on getting some red, yellow, green type system. I think we’re more interested in making sure data elements we can use to make a score are passed on to us.”
Magee said ACTR also protested that tax prep firms like Intuit couldn’t legally share certain information about their customers with the states and the IRS. Representatives with ACTR did not respond to requests for comment. Intuit declined to be interviewed for this story.
“They threw up a red flag and basically said, ‘We can’t you pass that information because it’s protected by IRS code sections regarding taxpayer confidentiality issues,'” Magee recalled. “Thankfully, the IRS brought in their attorneys and the commissioner a few weeks ago and they said, ‘That’s bunk, you can most certainly send that information to us and to the states. So we won that battle.” So how will Alabama and other states process returns differently next year?
“On a high level, what we’ve determined as of this week is that — unless the lobbyists derail our efforts – we’re going to ask for different authentication measures on a new customer, and different on returning customer, and then we’re going to ask for whole bunch of data elements that we’re not getting now that will allow us to filter the returns on receipt and will allow us to put the returns in various buckets of scores for possible fraud.”
For example, one telltale sign of a fraudulent return is one that takes the filer a very short time to fill out.
“If someone takes two minutes or less to fill out a tax return, that’s pretty much fraud 100 percent of the time, because they’re just cutting and pasting information from somewhere else,” said Magee’s deputy Garrett. “So we said, okay, send us information about how long it takes them to fill out a return.”
Magee said there are a number of other data elements that the tax preparation firms could share about the way its customers file refund requests that would be helpful in separating legitimate returns from those filed by fraudsters.
“The states and the IRS are really trying to figure out what other data elements about customers is reasonable to ask of the software vendors in terms of helping us screen suspicious returns,” Magee said. “But end of the day, the best thing they can do for us is avoid account takeovers and to authenticate that it’s not a criminal setting up the account, that it’s a legitimate taxpayer.”
Garrett said the states believe they have some power to drive change because the states ultimately get to decide whether or not they accept a tax return filed through an electronic tax preparation firm.
“We get to choose whether or not we accept returns from vendor or not, but we have not exercised that choice in the past,” Garrett said. “What we’re going to do this is say let’s make sure that not only does the return have all the right data filled out in all the right fields, but let’s make sure you doing certain things on customer authentication as well.”
Magee said regardless of what happens with the IRS task force, her state will be requiring more from tax preparation firms in the coming months.
“Every summer we provide software vendors with file format that they must program into their systems, and usually the changes have to do with new laws or new tax structure,” Magee said. “But this year, that’s also going to include security measures. Ultimately, our goal is to deter people from using information on Alabama residents to file fraudulent tax returns. Then we could actually get back to the type of tax administration we’re used to, which is catching plain old tax cheats.”
One final note: The U.S. Senate Homeland Security and Governmental Affairs Committee is set to hold hearings today about the IRS transcript problem mentioned at the top of this piece. When I broke the news about this fraud back in March, I did so by telling the nightmarish story of Michael Kasper, a taxpayer who reached out after discovering he’d been victimized by tax fraud and that someone had pulled his tax transcript after creating an account at the IRS’s site using his personal information. Kasper is set to testify before the committee today. (Update: Watch a recorded version of today’s hearing here).
There’s also been a minor update on Kasper’s tax fraud case. In my original report, I noted that Kasper had tracked down a local woman who’d willingly or unwittingly helped fraudsters funnel the money from Kasper’s fraudulent IRS refund to scammers in Nigeria. That individual, a woman named Isha Sesay, declined my requests for an interview at the time. But on May 29, the Williamsport, Pa. police department posted a notice on their Facebook page about a standing warrant for her arrest: According to Kasper, she is also wanted for helping to funnel refund fraud money from an ID theft victim in South Dakota.
This is significant because these so-called “money mules” so seldom get prosecuted or held accountable for the very critical role that they play in these fraud schemes. UPDATE: A notice posted to the police department’s Facebook page states that Sesay has been arrested.