Posts Tagged: American Coalition for Taxpayer Rights

Mar 16

Phishing Victims Muddle Tax Fraud Fight

Many U.S. citizens are bound to experience delays in getting their tax returns processed this year, thanks largely to more stringent controls enacted by Uncle Sam and the states to block fraudulent tax refund requests filed by identity thieves. A steady drip of corporate data breaches involving phished employee W-2 information is adding to the backlog, as is an apparent mass adoption by ID thieves of professional tax services for processing large numbers of phony refund requests.

According to data released this week by anti-fraud company iovation, the Internal Revenue Service is taking up to three times longer to review 2015 tax returns compared to past years.

Julie Magee, commissioner of Alabama’s Department of Revenue,  said much of the delay this year at the state level is likely due to new “fraud filters” the states have put in place with Gentax, a return processing and auditing system used by about half of U.S. state revenue departments. If the states can’t outright deny a suspicious refund request, they’ll very often deny the requested electronic bank deposit and issue a paper check to the taxpayer’s known address instead.

“Many states decided they weren’t going to start paying refunds until March 1, and on our side we’ve been using all our internal fraud resources and tools to analyze the tax return before we even put it in the queue,” Magee said. “That’s delaying refunds nationwide for the IRS and the states, and it’s pretty much going to also mean a helluva lot of paper checks are going out this year.”

The added fraud filters that states are employing take advantage of data elements shared for the first time this tax season by the major online tax preparation firms such as TurboTax. The filters look for patterns known to be associated with phony refund requests, such how quickly the return was filed, or whether the same Internet address was seen completing multiple returns.

Magee said some of the states have been adding new fraud filters nearly every time they learn of another big breach involving large numbers of stolen or phished employee W2 data, a huge problem this tax season that is forcing dozens of companies large and small to disclose data breaches over the past few weeks.

“Every time we turn around getting a phone call about another breach,” Magee said. “Because of all the different breaches, the states and the IRS have been taking extreme measures to filter, filter, filter. And each time we’d get news of an additional breach, we’d start over, reprogram our fraud filters, and re-assess those returns that were not processed fully yet and those waiting to be processed.”

Magee said the Gentax software assigns each tax return a score for “wage confidence” and “identity confidence,” and that usually fraudulent tax refund requests have high wage confidence but low — if any — identity confidence. That’s because the fraudsters are filing refund requests on taxpayers for whom they already have stolen W2 information. The identity confidence in these cases is low often because the fraudsters are asking to have the money electronically deposited into an account that can’t be directly tied to the taxpayer, or they have incorrectly supplied some of the victim’s data.

“I have zero confidence that filings which match this pattern are legitimate,” Magee said. “It’s early still, but our new filtering system seems to be working. But it’s still a big unknown about the percentage of fraudulent refunds we’re not stopping.”


athookMost states didn’t start processing returns until after March 1, which is exactly when a flood of data breaches related to phished employee W2 data began washing up. As KrebsOnSecurity first warned in mid-February, thieves have been sending targeted phishing emails to human resources and finance employees at countless organizations, spoofing a message from the CEO requesting all employee W2’s in PDF format.

In Magee’s own state, W2 phishers hauled in tax data on an estimated 180 employees of ISCO Industries in Huntsville, and some 425 employees at the EWTN Global Catholic Network in Irondale, Ala. But those are just the ones that have been made public. Magee’s office only learned of those breaches after employees at the affected organizations reached out to journalists who then wrote about the compromises.

Over the past week, KrebsOnSecurity similarly has heard from employees at a broad range of organizations that appear to have fallen victim to W2 phishing scams, including some 28,000 employees of the market research giant Kantar Group; 17,000+ employees of Sprouts Farmer’s Market; call center software provider Aspect; computer backup software maker AcronisKids Dental Kare in Los Angeles; Century Fence, a fencing company in Wisconsin; Nation’s Lending Corporation, a mortgage lending firm in Independent, Ohio; QTI Group, a Wisconsin-based human resources consulting company; and the jousting-and-feasting entertainment company Medieval Times. Continue reading →

Jun 15

States Seek Better Mousetrap to Stop Tax Refund Fraud

With the 2014 tax filing season in the rearview mirror, state tax authorities are struggling to incorporate new approaches to identifying and stopping fraudulent tax refund requests, a $6 billion-a-year problem that’s hit many states particularly hard this year. But some states say they are encountering resistance to those efforts on nearly every front, from Uncle Sam to online tax vendors and from the myriad of financial firms that profit handsomely from processing phony tax refunds.

Cash Cow: Check out this primer on which companies are profiting from tax refund fraud.

Cash Cow: Click on the image above for a primer on how many companies are profiting from tax refund fraud.

Last week, the Internal Revenue Service (IRS) disclosed that thieves had stolen up to $50 million in phony refunds by pulling tax data on more than 100,000 Americans directly from the agency’s own Web site. The thieves were able to do this for the same reason that fraudsters are able to get away with filing and getting paid for bogus refunds: The IRS, the states and the tax preparation firms all try to authenticate filers based on static identifiers about the filer — such as birthdays and Social Security numbers, as well as answers to a handful of easily-guessed or researched “knowledge based-authentication” questions.

I spoke at length with several state tax commissioners about the size and scope of the tax refund fraud problem, and what the IRS and the states are doing to move beyond reliance on static identifiers to authenticate taxpayers. One of the state experts I spoke with was Julie Magee, commissioner of Alabama’s Department of Revenue.

Magee described her work on a new task force organized by the IRS aimed at finding solutions for reducing the tax refund fraud problem across the board. Magee is one of several folks working on a fraud and authentication working group within the IRS’s task force, which is trying to come to a consensus about ways to do a better job authenticating taxpayers and to improve security around online tax preparation services such as TurboTax.

Earlier this year, TurboTax briefly suspended the online filing of state tax returns after dozens of state revenue departments complained about a massive spike in fraudulent refund requests — many of which were tied back to hijacked or fraudulently-created TurboTax accounts.

One of those victimized in that scourge was Joe W. Garrett, — Magee’s deputy commissioner — who had a $7,700 fraudulent return filed in his name after thieves created a duplicate TurboTax account with his personal information.

Magee said her working group — one of three on the IRS’s task force — is populated by stakeholders with competing agendas.

“You have companies like Intuit that don’t want the government getting into the online tax preparation business, and then there are the bricks-and-mortar operations like Liberty and H&R Block that don’t want to see their businesses cannibalized by the do-it-yourself online firms like TurboTax,” Magee said. “And then we have the banking industry, which is making a fortune off of this whole problem. Right now, the only entities that are really losing out are states and the US Treasury.” (For a look at which companies stand to profit from fraudulent refunds, see this sidebar).

In February, KrebsOnSecurity published exclusive interviews with two former TurboTax security professionals who accused TurboTax of making millions of dollars knowingly processing state and federal tax refunds filed by identity thieves. Magee said Intuit — the company that owns TurboTax — came to the first two working group meetings with a plan to provide states with an anti-fraud screening mechanism similar to Apple Pay‘s “green/yellow/red path” program, which seeks to offer participating banks some idea of the relative likelihood that a given new customer is in fact a fraudster signing up in the name of an ID theft victim.

“The first two meetings, Intuit acted like they were leading the charge on this, and they were really amenable to everything,” Magee said. “They had come up with an idea that was very much like the red- yellow-green kind of thing, and they were asking us what data elements they should be looking at and sharing.” greenyellowred

According to the Alabama tax commissioner, that’s when the American Coalition for Taxpayer Rights (ACTR), a trade group representing the tax preparation firms, stepped in. “The lobbyist group put the kibosh on that idea. They basically said it’s not their right to be the police – that it should be the IRS or the states — but that they would be more than willing to send us the indicators and that we could use our own system to do the scoring,” Magee said. “The states aren’t hung up on getting some red, yellow, green type system. I think we’re more interested in making sure data elements we can use to make a score are passed on to us.”

Magee said ACTR also protested that tax prep firms like Intuit couldn’t legally share certain information about their customers with the states and the IRS. Representatives with ACTR did not respond to requests for comment. Intuit declined to be interviewed for this story.

“They threw up a red flag and basically said, ‘We can’t you pass that information because it’s protected by IRS code sections regarding taxpayer confidentiality issues,'” Magee recalled. “Thankfully, the IRS brought in their attorneys and the commissioner a few weeks ago and they said, ‘That’s bunk, you can most certainly send that information to us and to the states. So we won that battle.” Continue reading →