As more people take advantage of the convenience of filing taxes online, organized criminals are snatching identities and stealing billions of dollars in tax refunds.
IRS tax fraud and identity theft has been occurring over the last decade, but the problem has been intensifying despite the government's efforts to thwart attacks and has been a “significant problem” over the past five years, said Robert Siciliano, an online security expert at McAfee.
Florida has become a hub for tax cyber crime and the Mexican Mafia is involved, he said.
The IRS has cracked down in recent years, but with sophisticated cyber criminals working against a dilapidated federal filing system, cyber security experts warn filers can and will fall victim unless they take all possible precautions.
“They’re getting better at it but they still have so many hundreds of millions of tax returns to file in so short a time,” Siciliano said. “It’s an old, dilapidated mess of a system that has not kept up with the times.”
The IRS recently concluded a year-long crackdown on fraud and identity theft. The coast-to-coast effort against 389 suspects led to 734 enforcement actions in January, including indictments and arrests. Ahead of the 2013 tax season, the IRS Criminal Investigation, in conjunction with the Department of Justice, had opened more than 1,460 identity theft investigations since its efforts began in October 2011.
“We have aggressively stepped up our efforts to pursue and prevent refund fraud and identity theft, and we will continue to intensely focus on this area,” IRS Acting Commissions Steven Miller said in a statement last month.
But with 81% of filers paying their taxes online last year, the opportunity to file phony returns is immense.
In the 2011 tax season, the agency failed to prevent 1.5 million potentially fraudulent tax returns from being processed last year, resulting in refunds totaling more than $5.2 billion, according to estimates by the Treasury Inspector General for Tax Administration. The agency did thwart 938,664 fake returns totaling $6.5 billion in fraud, however the inspector general said the results were nevertheless “extremely troubling.”
The IRS essentially runs on the honor system, meaning it issues refunds before it conducts a thorough audit. Because of that, a refund can be in the mail on its way to a criminal before the IRS is even aware that it was duped.
“Organized crime is latching onto a fundamentally flawed system,” Siciliano said. It “sees this as an opportunity.”
With an intricately designed support system, cyber thieves steal personal information by nabbing people’s paper trails, hacking their computers or infected PCs with viruses. They then file a return using someone else's social security number. The return often looks so realistic that red flags aren't raised until the victim tries to file legitimately.
It’s a form of “account takeover fraud,” Siciliano said, similar to when criminals use stolen credit card numbers to make unauthorized transactions or withdrawals.
Once the duplicate is brought to the agency’s attention, it then must investigate which application is real, which can lead to them tracing IP addresses to see where the application was filed and determining whether the return was sent to a property not associated with the filer.
If an organized crime ring is sophisticated enough, they could have anywhere from two to thousands of people working toward the goal of stealing refund dollars. In some cases, they rent temporary spaces to where they funnel thousands of returns.
Since the IRS is ultimately the one being defrauded, it ends up absorbing the costs. Siciliano said the excess waste ultimately trickles down to taxpayers.
There are ways, however, to be guarded.
For example, the IRS does not send emails. Don’t be fooled by email subjects claiming “your tax return appeal is declined” or “owe back taxes to the state or IRS.” McAfee said other popular email heads are “file your taxes now turn your refund into cash” and “tax relief notification.”
It won’t text or call and try to lure a filer into providing personal information.
“The IRS will never email you,” Symantec warns on its website. “Ever.”
In addition to not clicking on unusual links or giving away personal information, locking mailboxes also helps protect against fraud, as does having complex passwords protecting mobile devices and PCs. Shred old tax forms and look into instituting a credit freeze, which locks down social security numbers and credit reports making it more difficult for criminals to nab personal information, McAfee said.
"Identities that have a credit freeze are less attractive to bad guys for a number of reasons,” Siciliano said. “If bad guys can’t open a credit card under your name they’ll hesitate to use your taxes.”
The more security systems a person has in place, the more secure they’ll be.
Symantec also warns filers to be wary of fake tax preparation companies and encourages people to log out completely when finished on a tax site or online banking site or when they complete an online transaction with a retailer. Importantly, it says refunds should be directly deposited so criminals can't steal them in the mail.
The IRS encourages Americans to check their credit report at least once a year, pay attention to changes in the tax laws and not to give away social security numbers to businesses unless it is absolutely required.