March 24, 2016

Many U.S. citizens are bound to experience delays in getting their tax returns processed this year, thanks largely to more stringent controls enacted by Uncle Sam and the states to block fraudulent tax refund requests filed by identity thieves. A steady drip of corporate data breaches involving phished employee W-2 information is adding to the backlog, as is an apparent mass adoption by ID thieves of professional tax services for processing large numbers of phony refund requests.

According to data released this week by anti-fraud company iovation, the Internal Revenue Service is taking up to three times longer to review 2015 tax returns compared to past years.

Julie Magee, commissioner of Alabama’s Department of Revenue,  said much of the delay this year at the state level is likely due to new “fraud filters” the states have put in place with Gentax, a return processing and auditing system used by about half of U.S. state revenue departments. If the states can’t outright deny a suspicious refund request, they’ll very often deny the requested electronic bank deposit and issue a paper check to the taxpayer’s known address instead.

“Many states decided they weren’t going to start paying refunds until March 1, and on our side we’ve been using all our internal fraud resources and tools to analyze the tax return before we even put it in the queue,” Magee said. “That’s delaying refunds nationwide for the IRS and the states, and it’s pretty much going to also mean a helluva lot of paper checks are going out this year.”

The added fraud filters that states are employing take advantage of data elements shared for the first time this tax season by the major online tax preparation firms such as TurboTax. The filters look for patterns known to be associated with phony refund requests, such how quickly the return was filed, or whether the same Internet address was seen completing multiple returns.

Magee said some of the states have been adding new fraud filters nearly every time they learn of another big breach involving large numbers of stolen or phished employee W2 data, a huge problem this tax season that is forcing dozens of companies large and small to disclose data breaches over the past few weeks.

“Every time we turn around getting a phone call about another breach,” Magee said. “Because of all the different breaches, the states and the IRS have been taking extreme measures to filter, filter, filter. And each time we’d get news of an additional breach, we’d start over, reprogram our fraud filters, and re-assess those returns that were not processed fully yet and those waiting to be processed.”

Magee said the Gentax software assigns each tax return a score for “wage confidence” and “identity confidence,” and that usually fraudulent tax refund requests have high wage confidence but low — if any — identity confidence. That’s because the fraudsters are filing refund requests on taxpayers for whom they already have stolen W2 information. The identity confidence in these cases is low often because the fraudsters are asking to have the money electronically deposited into an account that can’t be directly tied to the taxpayer, or they have incorrectly supplied some of the victim’s data.

“I have zero confidence that filings which match this pattern are legitimate,” Magee said. “It’s early still, but our new filtering system seems to be working. But it’s still a big unknown about the percentage of fraudulent refunds we’re not stopping.”


athookMost states didn’t start processing returns until after March 1, which is exactly when a flood of data breaches related to phished employee W2 data began washing up. As KrebsOnSecurity first warned in mid-February, thieves have been sending targeted phishing emails to human resources and finance employees at countless organizations, spoofing a message from the CEO requesting all employee W2’s in PDF format.

In Magee’s own state, W2 phishers hauled in tax data on an estimated 180 employees of ISCO Industries in Huntsville, and some 425 employees at the EWTN Global Catholic Network in Irondale, Ala. But those are just the ones that have been made public. Magee’s office only learned of those breaches after employees at the affected organizations reached out to journalists who then wrote about the compromises.

Over the past week, KrebsOnSecurity similarly has heard from employees at a broad range of organizations that appear to have fallen victim to W2 phishing scams, including some 28,000 employees of the market research giant Kantar Group; 17,000+ employees of Sprouts Farmer’s Market; call center software provider Aspect; computer backup software maker AcronisKids Dental Kare in Los Angeles; Century Fence, a fencing company in Wisconsin; Nation’s Lending Corporation, a mortgage lending firm in Independent, Ohio; QTI Group, a Wisconsin-based human resources consulting company; and the jousting-and-feasting entertainment company Medieval Times.


Magee said Alabama and other states are dealing with a huge spike this year in fraudulent refund requests filed via criminals who use online software firms that specialize in selling e-filing services to tax professionals.

According to Magee, crooks first register with the IRS as “electronic return originators.” EROs are typically accountants or tax preparation firms authorized by the IRS to prepare and transmit tax returns for people and companies electronically.  Magee said thieves have been registering as EROs and then buying tax preparation software and services from firms like PETZ Enterprises to push through large numbers of phony refund requets.

“The biggest move [in refund fraud] this year is in the so-called ‘professional services applications,’ which are being flagged in high rates this year for fraud,” Magee said. “And that’s not just Alabama. A great number of other states are seeing the same thing. We have always had fraud in that area, but we’re seeing significantly higher rates of fraud there now.”

Magee said tax software prep firms should be required to conduct more due diligence on their clients.

“In the state of Alabama, you need a license to cut someone’s hair, to be a barber or a cosmetologist, but anyone can become a tax preparation professional with no certification at all,” Magee said. “The software firms are where all the fraud is going now. The criminal becomes an ERO, and then he can just sit there all day and file an unlimited number of fraudulent returns.”

PETZ did not respond to requests for comment. But Stephen Ryan, a lobbyist for the industry group American Coalition for Taxpayer Rights, said states are free to regulate tax providers as they see fit.

“If there are facts that demonstrate there is a problem such as is being alleged about unscrupulous local preparers using professional software they license, the state certainly has the sovereign authority to prosecute or regulate this,” Ryan said. “If a specific source of fraud or crimes is being locally committed, that’s a pretty easy enforcement target to focus upon. And in the unlikely case a state doesn’t have that authority, they can seek it from their legislature.”

Look for additional stories in the coming days as part of a series on tax refund fraud in 2016. Next week, I’ll take a closer look at how thieves are exploiting know-your-customer weaknesses in the prepaid card industry to launder the proceeds from refund fraud and other schemes.

28 thoughts on “Phishing Victims Muddle Tax Fraud Fight

  1. Gnecht

    So tax refund fraudsters are going IRS ERO?

    Getting the IRS Electronic Return Originator registration involves getting fingerprinted by police or professional service, and getting background checks for criminal history, credit history, and tax compliance.

    IRS Publication 3112, e-fileApplication and Participation

    I would have expected that process would weed out more criminals than it appears to be doing. Any ideas on how the IRS could improve it?

  2. OOooMoment

    Why oh Why don’t the treasury depts. in States and the FED just offer a DUAL-FACTOR authentication option? The tax payer provides their cell phone number and provider name. When the treasury system is ready to deposit the tax return they can verify the tax payer’s cell number with the cellular company’s active number database, text the account # the deposit is destined to and request a yes or no answer. Phone companies have been authorizing wired services this way for decades. Similar to reverse look-up for email for those non-Telco types.

    1. Joebob2000

      Dual factor??? Hahaha I would be happy with single factor! As it is, auth via SSN and some wage data (two numbers that are only slightly hard to obtain, impossible to control if exposed, and very easy to fraud in bulk) counts a ZERO factor auth. But yes the long term solution is one and probably more REAL ways of identity authentication. That or just scratch the whole “income tax refund” crap and get taxes sorted out as they are earned, not a year later (but that’s a pipe dream)

      1. Gnecht

        Get taxes sorted out as they are earned? That’s what IRS Form W-4 and payroll withholding try to do, for employees.

    2. Gnecht

      What about people who don’t or can’t use text messages? The IRS has to deal with people who don’t have bank accounts, let alone cell phones and texting capabilities.

      1. null

        Do the easy ones first, people haven’t moved, people who haven’t changed their phone number, people with small refunds, people with accounts at big banks that could verify, etc, etc.

        It is Not difficult to change withholdings, if people need the money that bad they can do that. Or just wait until their information is verified.

  3. Joebob2000

    Could the benefit of electronic deposit possibly be outweighing the fraud risk to E-filing at this point? If you have to send a paper check, even if the fraudster manages to switch addresses, leaves a real trail to go after. If they are being electronically deposited (probably even via mules and/or hacked accounts) the money is pretty much gone without a trace. The IRS and state governments need to start going back to paper until they can figure out a more credible authentication method than knowing a SSN and a W2 income number.

    1. Anonymous Cow

      Not so much electronic deposit as the electronic filing. AFAIK all the problems involved those who electronically filed their returns; I’ve yet to hear of any problems from those who snail-mailed paper returns.

      1. Bob

        This is incorrect. Filing a paper return will not protect you. Even if you file a paper return, a fraudster could have already filed an electronic return using your ID. Your paper return will get held up while they investigate.

  4. OOooMoment

    … OMG the IRS went to electronic because they couldn’t secure the old hard mail paper check process. Must be too much chlorine in the water… no one in this country seems to have a memory ;-/

    1. null

      That is Not what I remember. They added direct deposit as a convenience to taxpayers and last I heard just about 70% of refunds are direct deposited. So faster And safer.

  5. Tom R.

    I just got a letter from the IRS stating that some UNSUB had attempted to file a fraudulent tax return using my name and SSN. The letter went on to state that “the attempt had been unsuccessful.” Now I’m stuck with the rather large job of reporting this fraud attempt to the police, one of the credit reporting companies and all of the financial institutions with which I have accounts so as to establish a paper trail to protect myself in my the event my data is used to perpetuate a crime. Oh, joy. The biggest unanswered question here is where did the fraudster(s) get my SSN? The security department at my main bank told me we’ll probably never know. I know it wasn’t from me because I never respond to phishing emails.

    1. null

      Do you have a freeze on your credit report ? Do you check your credit reports annually ?

  6. To tomR

    they got from Zionist 😉 are you happy now, you ain’t do nothing about coz you got no power and if you rebel or riot then army and police will take you down ,

  7. Interesting

    It is interesting that Firefox tells me that this security website has parts that are not secure.

  8. Mark

    I prepare my own texes. On a Windows XP box dedicated to the purpose. It is in a locked building with no internet connection, wireless, etc. I output the tax return to a floppy disk (!) which is carried to a likewise dedicated WIN98 box in the same building for printing (printer won’t run on XP). Both machines are wiped clean and restored afterwards. I do have to buy a new ink cartridge every year since the old one drys out and clogs.

    The printed return is mailed via registered mail. Oh, and no financial institution I deal with has my email address and I don’t do ANY online banking.

    My tin-foil hat size is 7 3/8. Nobody has ever hacked my financial info from my end of the equation. Or, despite the 10-20 emails a week needing me to confirm my account credentials at 10-20 different banks I’ve never heard of, I’ve never been successfully phished.

    Now, where’d I put that tin foi hat… it’s been good to me.

  9. David M

    Guaranteed 100% way to eliminate ALL fraudulent tax refunds (other than my favorite — get rid of income tax and switch to a consumption tax collected at the time of sale). Eliminate all refunds, period. Instead, the tax payer gets a credit for the next year’s taxes owed (no money changes hands, only a credit with the government’s tax office).

    It could take the form of no taxes withheld after April 15th until the refund was consumed. Or another line of taxes paid at the next filing year. Or whatever.

    The only time this would not work is when a person would never owe any more taxes. Those few (lucky) people could be handled in person at the local IRS office.

    1. Stephen

      @David M. The consumption tax has some great drawbacks that is should not be a favorite of anyone other than the rich.
      A consumption tax effectively taxes the low to middle class the most. Those who earn their low to middle income, and spend most of it, and do not save money.
      The top 5% of money earners control 95% of all money. These high earners are called ‘rich’ because they have a lot of money IN their accounts, not because the spend a lot of money. A consumption tax neglects to tax all the money they keep in banks, invest in stocks, bonds, acquire other companies, etc.; none of that money would provide income to the government, and the rich persons effective tax rate would be very low.
      A consumption tax could lead to everyone paying 3 to 5 times higher sales tax than current. People complain about our current 8-10% state and local sales tax; what will they do when there’s an additional 40-60% federal tax on top of local sales taxes?????

      I think that large refunds, say over $500 should be guarded more carefully. Allow the tax payer to have that large refund credited towards the next year, so their paycheck deductions would be lowered, so they get the money in their employer paychecks. If they choose or no longer work for a typical job with paychecks, then they can go to a local IRS office or other government office equipped to be able to identify them physically. Such as verifying that they look like the picture the MVD, Passport, etc. has on file (not whatever possibly fake ID the person brings with them) along with matching fingerprints on file.

      The system doesn’t have to be fully bullet proof in preventing possible fraud, but make it hard enough that the fraudsters will use a different avenue.

  10. Regret

    I’d suggest reducing your withholding so you aren’t due a refund. Penalties for small underpayment are negligible; you only have to be disciplined enough to have a savings reserve to cover taxes owed by the following April.

  11. Bracket Creep

    David M is right. The only way to eliminate this problem is to go to a consumption tax. We’ve introduced a huge amount of individuals to the tax system and for basically no other reason than to claim credits they are entitled to. This is the result of decades of disguised spending through the tax code. It costs a ton of money for IRS to serve these taxpayers – making sure they understand their filing obligations, which credits they are entitled to, and resolving account issues. They require assistance from the pre-filing state of tax administration all the way through post-filing. These costs are virtually gone in a consumption tax system.

    People suggesting that taxpayers adjust their withholding to reduce the likelihood of a refund are missing the point. The thieves have zero idea (before Get Transcript) whether or not the real taxpayer has a history of balance dues or refunds and quite frankly it doesn’t matter. They will make up whatever information generates a large refund. The current strategy of “file before the thief does” does not work in an environment where information returns are not being issued timely. It forces the taxpayer to either wait or file a potentially inaccurate return.

    1. Stephen

      @Bracket Creep The suggestion that people adjust their withholding to lower refund still has merit. While it does not protect an individual from tax refund fraud now; if enough people get withholding right, the median and mean refunds will drop. If large refunds are not typical, then the IRS can afford more authentication and scrutiny to those large refunds. Right now, there are so many people who get thousand of dollars in refunds every year that the IRS treats a $10,000 refund as just a typical refund in the sea of refunds.

      I would think many people work in the same job for more than one year. Any year , someone is earning about the same as the previous year, they should set their withholding to a specific dollar amount to minimize the potential refund.
      I know the W-4 claiming 1-10 deduction crap is terrible for setting withholding. I really wish I could just set a dollar amount, then I could get more of my money during the year rather than being forced to wait for a refund.

      We need enough people to get their withholding right so that any refund over $500 sets of red flags for the IRS because it’s above typical. A lot fewer fraudsters will bother with tax fraud if only $500 refunds can fly under the radar and additional scrutiny.

      1. Bracket Creep

        @Stephen – you are assuming that refunds are the result of having taxes being overwithheld. Prior to the 1970’s that would have mostly been true as the IRS has always structured the withholding table to create a refund as it encourages the filing of a tax return. However, the emergence of refundable tax credits over the last 20-30 years better describes the current refund environment. Now, people with economic situations that historically did not require them to file tax returns now do so primarily to claim refundable tax credits. Low-income filers are generally filing tax returns to claim the Earned Income Tax Credit (started in 1975). Additionally, the refundability of the Additional Child Tax Credit (started in the late 1990s) creates refund situations even when the withholding is right on the money. In 2011, the IRS paid out $99.1 billion in refundable tax credits.

        The average amount of a tax refund will always change because of changes in tax laws and personal situations so it’s difficult to do any historical analysis of IRS refund data and come to a helpful conclusion. It’s more helpful to look at the percentage of refunds that are the result of refundable tax credits.

  12. John Clark

    I received an email from an individual claiming to be an HR recruiter a couple of weeks ago. The individual said he had a job in my professional field and in my local region (he acquired my resume info from LinkedIn or Indeed). The individual’s email domain matched the website that he provided a link to. Doing a little quick search led me to believe that he is a scammer who has contacted others with the goal of getting a hold of victim’s social security number and date of birth.

    More than likely this scammer has been collecting SSNs so he could file false return to steal refunds.

    I did further research and found that the scammer has created more than twenty fake staffing companies with all the information on the web sites being identical but for the HR directors’ names.

    As a warning to others I created a blogger web site with all the information I gathered. It seems the scammer likes using one particular hosting company in Brea California that has let him continue to operate even though I warned them. I think the hosting company likes getting money from criminals since it spends just as well.

    You can see the list here:

  13. G.Scott H.

    As others have mentioned, it makes no difference whether you owe or a due a refund. The tax ID thief files for a refund in your name.

    I also would like to see the income tax change to a flat tax or abolished. Consumption tax is regressive so has to be limited.

    Asset tax is not regressive. And it would encourage economic activity rather than hoarding wealth.

    Identity alone cannot be the basis of high value transactions, authentication is a must. The value of the transaction determines the level of assurance of authentication of an identity. Simply having a SSN and some other obtainable information does not cut it for a few thousand dollar tax refund. On the other hand, to purchase a pack of gum, simply being able to hand over the appropriate amount of payment is enough. In the pack of gum case, the authenticity of the payment is more important.

  14. Ridiculous

    Yes I work for one of these companies and my W-2 was compromised. As well as my SSN and tax info. Someone filed a fraudulent tax return which prevented me from filing. I’m having to go through all the identity theft process and re-file a paper copy along with a fraud affidavit. Causing my return to be delayed. I have people saying I should sue my employer for negligence. Anyone think I have a case? Should I talk to a lawyer?

  15. Brian Cummings

    Would be nice if the fraudsters would pay my taxes owning. :-))

Comments are closed.