February 26, 2016

The U.S. Internal Revenue Service (IRS) today sharply revised previous estimates on the number of citizens that had their tax data stolen since 2014 thanks to a security weakness in the IRS’s own Web site. According to the IRS, at least 724,000 citizens had their personal and tax data stolen after crooks figured out how to abuse a (now defunct) IRS Web site feature called “Get Transcript” to steal victim’s prior tax data.

The Growing Tax Fraud MenaceThe number is more than double the figures the IRS released in August 2015, when it said some 334,000 taxpayers had their data stolen via authentication weaknesses in the agency’s Get Transcript feature.

Turns out, those August 2015 estimates were more than tripled from May 2015, when the IRS shut down its Get Transcript feature and announced it thought crooks had abused the Get Transcript feature to pull previous year’s tax data on just 110,000 citizens.

In a statement released today, the IRS said a more comprehensive, nine-month review of the Get Transcript feature since its inception in January 2014 identified the “potential access of approximately 390,000 additional taxpayer accounts during the period from January 2014 through May 2015.”

The IRS said an additional 295,000 taxpayer transcripts were targeted but access was not successful, and that mailings notifying these taxpayers will start February 29. The agency said it also is offering free credit monitoring through Equifax for affected consumers, and placing extra scrutiny on tax returns from citizens with affected SSNs.

The criminal Get Transcript requests fuel refund fraud, which involves crooks claiming a large refund in the name of someone else and intercepting the payment. Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

As I warned in March 2015, the flawed Get Transcript function at issue required taxpayers who wished to obtain a copy of their most recent tax transcript had to provide the IRS’s site with the following information: The applicant’s name, date of birth, Social Security number and filing status. After that data was successfully supplied, the IRS used a service from credit bureau Equifax that asks four so-called “knowledge-based authentication” (KBA) questions. Anyone who succeeds in supplying the correct answers could see the applicant’s full tax transcript, including prior W2s, current W2s and more or less everything one would need to fraudulently file for a tax refund.

These KBA questions — which involve multiple choice, “out of wallet” questions such as previous address, loan amounts and dates — can be successfully enumerated with random guessing. But in practice it is far easier, as we can see from the fact that thieves were successfully able to navigate the multiple questions more than half of the times they tried. The IRS said it identified some 1.3 million attempts to abuse the Get Transcript service since its inception in January 2014; in 724,000 of those cases the thieves succeeded in answering the KBA questions correctly.

The IRS’s answer to tax refund victims — the Identity Protection (IP) PIN — is just as flawed as the now defunct Get Transcript system. These IP PINS, which the IRS has already mailed to some 2.7 million tax ID theft victims, must be supplied on the following year’s tax application before the IRS will accept the return.

The only problem with this approach is that the IRS allows IP PIN recipients to retrieve their PIN via the agency’s Web site, after supplying the answers to the same type of KBA questions from Equifax that opened the Get Transcript feature to exploitation by fraudsters.  These KBA questions focus on things such as previous address, loan amounts and dates and can be successfully enumerated with random guessing.  In many cases, the answers can be found by consulting free online services, such as Zillow and Facebook.

ID thieves understand this all to well, and even a relatively unsophisticated gang engaged in this activity can make millions via tax refund fraud. Last week, a federal grand jury in Oregon unsealed indictments against three men accused of using the IRS’s Get Transcript feature to obtain 1,200 taxpayers transcripts. In total, the authorities allege the men filed over 2,900 false federal tax returns seeking over $25 million in fraudulent refunds.  The IRS says it rejected most of those claims, but that the gang managed to successfully obtain $4.7 million in illegal refunds.

HOW BAD WAS IT OVERALL IN 2015?

The IRS hasn’t officially released numbers on how much tax refund fraud it saw overall in 2015, but in response to questions from KrebsOnSecurity it offered figures on how many fraudulent returns it detected and blocked last year.

“In calendar year 2015, the IRS rejected or suspended the processing of 4.8 million suspicious returns. The IRS stopped 1.4 million confirmed identity theft returns, totaling $8.7 billion,” the agency said in a statement. “Additionally, in calendar year 2015, the IRS stopped $3.1 billion worth of refunds in other types of fraud. That’s a total of $11.8 billion in confirmed fraudulent refunds protected.”

Again, these numbers do not reflect how many fraudulent refunds were paid out in calendar year 2015 due to ID theft, and as we can see with the numbers tied to the Get Transcript fiasco these numbers have a way of changing upward over time significantly. I mention that because something about these numbers doesn’t seem to square with figures previously released by the Government Accountability Office and the Federal Trade Commission.

Last month, the FTC said it saw an almost 50 percent spike in ID theft claims in 2015, a jump that was thanks largely to a huge uptick in consumer reports of tax refund fraud. Likewise, a report by the IRS last year indicates that between Jan. 1, 2015 and Sept. 30, 2015, the IRS saw more than 600,000 incidents of ID tax-related ID theft, up more than 50 percent over 2014, and 30 percent over 2013.

According to a January 2015 GAO report (PDF), the IRS estimated it prevented $24.2 billion in fraudulent identity theft refunds in 2013. Unfortunately, the IRS also paid $5.8 billion that year for refund requests later determined to be fraud. The GAO noted that because of the difficulties in knowing the amount of undetected fraud, the actual amount could far exceed those estimates.

The best way to avoid becoming a victim of tax refund fraud is to file your taxes before the fraudsters can. See Don’t Be A Victim of Tax Refund Fraud in ’16 for more tips on avoiding this ID theft headache.


29 thoughts on “IRS: 390K More Victims of IRS.Gov Weakness

  1. Dean Marino

    There is one more sure fire way to avoid IRS Tax Refund headaches….

    Don’t get a refund. OWE between $50 and $100, and MAIL IN your return.

    Could the IRS be a victum? Well, yes – but you won’t loose your “refund”. Could your ID be compromised? Yes – and previous advice to REGISTER at IRS.gov is good – we have.

    But also consider that careful W2 balancing, or CORRECT quarterly filing (based on YOUR tax obligation calculations), can result in very accurate, and totally legal final tax PAYMENTS of between $50 and $100.

    1. Jerry Stern

      No, planning your withholding and quarterly estimated payments so that it all adds up to a tiny amount payable won’t protect you. Those payments during the year are deposits towards tax liabilities, and are entirely refundable with a sufficiently-creative false return, or with a sufficient amount of legit deductions, which happens often enough that it (apparently) doesn’t raise warnings at the IRS.

      IOW, scammers can get your tax payments for the entire year, not just your refund. (Brian: Is there information on how much they are getting per return or as a percentage of total tax payments per return?)

      I would consider it suspicious if returns showing massive itemized deductions or massive over-withholding and requesting large refunds starting showing up during January; I do tech work for a lot of accountants, and they do not have numbers to work with for complex returns that early. The scammers file first, and early filing of complex returns is likely to be a good filtering factor towards identifying returns requiring more examination.

      1. Muntz

        Jerry Stern: “No, planning your withholding and quarterly estimated payments so that it all adds up to a tiny amount payable won’t protect you”

        Yes it will as Dean Marino said: “Could the IRS be a victum (sic)? Well, yes – but you won’t loose (sic) your “refund”. Could your ID be compromised? Yes – and previous advice to REGISTER at IRS.gov is good – we have.”

        Simply put, if you have a large refund legitimately owed to you and someone else has already filed a return, it will be a headache to actually get those funds – conversely, if no money is owed to you and someone else has already filed a return…I’d say it would plainly be less of a headache.

    2. Josh

      This doesn’t help you. A crook can just file your return with bogus information. As Brian said – you can be a victim even if you aren’t required to file taxes at all (no income).

    3. Josh

      The best question- I’ve gotten it several times- which one of these streets is near your address. Like someone can’t look at a map! Screws up people who have just moved and aren’t familiar with the neighborhood yet too. Took me a year or so before I was really familiar with the area when I relocated.

    4. Steve L

      While I agree that arranging to owe some each tax year is the best approach – you’re not lending the Feds money interest-free – it doesn’t help prevent fraudulent filing. The fraudsters make up data to make it appear that you’re due a refund, and they collect it. The IRS allows filing before they have all the documentation supplied by employers, investment firms, etc. – you can thank Congress for that.

      1. Soy Tenley

        You can file any time, the problem is the IRS sends refunds before they have all the documentation supplied by employers, investment firms, etc. – you can thank Congress for that.

  2. Mike

    Technically “identity theft” not “refund fraud” although refund fraud was the ultimate goal, as in the case of the Nigerians, who used transcripts to file realistic returns.

  3. Mike

    It seems the IRS was funding a luxury hotel in Lagos:
    http://www.leagle.com/decision/In%20FDCO%2020150804F57/U.S.%20v.%20KAZEEM
    Turning then to the history and characteristics of Defendant, I find that this factor weighs strongly against Defendant. At the detention hearing, the government produced a considerable amount of evidence demonstrating a pervasive pattern of fraud in Defendant’s conduct over at least the last five years. The government presented evidence that Defendant obtained his United States citizenship by means of a fraudulent marriage to a citizen and that denaturalization proceedings have been commenced against him. The government also presented evidence that, despite his allegedly fraudulent marriage and his romantic connections to at least two women in Maryland, Defendant is married to a woman in Nigeria and possibly also married to another woman in the United Kingdom.

    The government also produced evidence that Defendant has been investing at least some of the proceeds of the alleged tax fraud scheme in Nigeria. These investments apparently include substantial property in Lagos, Nigeria, where Defendant intended to construct a high-end hotel.

    It also appears that, despite owning a substantial house in Bowie, Maryland, and incurring considerable expenses, Defendant is without a legitimate source of income. Defendant’s tax returns for the last several years have represented that he worked for a company in Maryland which has been defunct for the entire time of Defendant’s purported employment with them.

  4. G.Scott H.

    What sites use these KBAs? I know in addition to the IRS, that healthcare.gov and USPS for their myUSPS package tracking service. These generally don’t work when you have a credit freeze in effect. Thanks to OPM most of these KBAs for me are in the wild in addition to many of the traditional security question answers.

    1. somguy

      Lots of sites do. Anything that looks up credit report or lending info (such as banks, car or house loans, etc). Also any site that wants to do more verification, such as car insurance, phone companies (such as Verizon, AT&T, etc), and others.
      Many sites where you put in your social security number will use something like that to verify it.

  5. Ron B

    One real sure fire way to avoid IRS Tax Refund headaches….
    ELIMINATE the income tax!

      1. David S.

        Yep, you are correct. Thanks.

        I guess I’m surprised they are still collecting this data via the web given the recent problems… I’d be reluctant to provide it here.

        1. Nancy

          And it appears to be using an out of date SHA1 certificate somewhere along the line, in addition to continuing support for the RC4 cipher.

          Our tax dollars at work, eh?

  6. Stackpole

    Is there a way to tell the IRS that I have NOT yet filed my 2015 taxes, but I will before the April deadline? This is to get something in before the miscreants can file for “my” refund.

    I (usually) file as early as possible but this year (don’t ask) some necessary information won’t be available until early April, so I am on tenterhooks.

    1. peter

      If you don’t have all the data, still file early and then amend it. Just make sure that you’ve paid just enough in tax – by April 18th – to cover your final bill.

      File-and-amend can be your friend.

  7. Kyle

    The government is being nailed by these fraudsters as well … is anywhere safe these days?

  8. Nikon1

    And this is the same Government that wants to be access all the information I have encrypted on my iPhone.

    “Trust US – It’s just the San Bernadino iPhone – you know, the terrorist’s iPhone.”

    Yeah – Trust you: Not in my lifetime! There is Nothing secure in Washington as far as I can see.

    1. Sasparilla

      It gets even better. The Obama administration is very close to allowing the NSA to start sharing “raw” data (no privacy protections) with domestic law enforcement agencies (who have histories of abusing such power). This was something the Bush administration wanted to do but chose not to…but here’s President Obama cementing another leg of the surveillance state into place:

      http://www.nytimes.com/2016/02/26/us/politics/obama-administration-set-to-expand-sharing-of-data-that-nsa-intercepts.html?_r=1

  9. A CPA

    As a CPA who has seen the havoc first hand, I can only believe that the IRS is in cahoots with the crooks. It is ridiculously easy to file a fictitious tax return and obtain a fraudulent refund from any where in the world. They simply refuse to institute steps that would force proper ID. My guess is that it is like voter fraud. Too beneficial for some to kill it.

    1. Mike

      Hey it’s not their money. Refunds are paid by Treasury not by IRS so why make things more difficult if it means more calls to their 800 number or visits to their offices?

  10. Chris

    Why not institute some sort of a physical token? Honestly, I would be even willing to pay a few bucks for it if it means avoiding the headaches of dealing with fraudulent returns in my name.

  11. Peter

    So, the government wants to weaken security from Apple and other software companies to match their lack of security…. Sounds a lot like the movie Idiocracy (2006)…. Electrolytes are great…!

  12. Terri pheland

    My son went to a person who was an accountant to get his taxes done this person messed them up and he was audited it was determined that he owes over $ 29000 in taxes how can this be mt son was 24 and. Didn’t even earn that much a year so he fought it and went to court because the person who did his taxes was unlicensed he lost and he wages were attached he has been paying for 2 years now is their any help out there at all he is a single father with full custody and struggling his past three (including) this years refunds have been confiscated if you can help please email me. Thanks

  13. f250 roof light bar

    The other attraction with this corner of the park was a walk
    through haunted house called El Pasaje Maldito. f250 roof light bar bars LED, offer an incredible benefit which is
    rarely observed in other designs. Buy emergency light bars for trucks Multiple LEDs may be combined
    and flash patterns can be built into circuits to make use of for
    decorative effect.

    I also saw a fish and chips stand called “Omega 3”–I guess health consciousness
    has reached England, though I don’t understand that
    fish and chips is the foremost source for omega 3’s.

    This becomes particularly useful when you want to keep your
    lighting in your driveways, in your stair railings, inside gardens and round
    the poolside on for too long hours.

Comments are closed.