September 20, 2018
Mind the Gap: Tax Fraud Prevention in the Digital World
Posted June 28, 2018
The rapid transformation to a digital world has undoubtedly streamlined processes and raised expectations for the average consumer. People now expect a secure, frictionless digital experience, whether they are buying something from a retailer, donating to a charity, or filling in a tax return. However, while many ecommerce, media and financial organisations have evolved their security systems in line with the new digital era, many government agencies are still prime targets for cybercriminals, fraudsters, hacktivists, nation-state sponsored hackers, and insider threats.
Of these agencies, revenue departments are one of the most badly affected. This is due mainly to the nature and extent of the fraud that can be committed. Attacks range from opportunist individuals under-declaring on their tax return, to large multi-national corporations avoiding paying their whole bill, to organized crime rings committing MTiC or carousel fraud. This all amounts to an estimated tax gap in the UK of £34 billion (or 6% of all tax liabilities).
While many of these kinds of attacks have been made simpler (or in some cases even made possible) by the uptake of online digital services, organisations can also take advantage of new technologies in order to combat digital fraudsters. This could range from simple things, like the time spent on a page (shorter than normal times could point to non-human traffic or bot attacks), to more complex techniques such as proxy piercing (to detect a user trying to mask their true location), or page/application fingerprinting (to detect any unexpected changes – a symptom of “Man in the browser” type attacks).
When tackling a problem of this size and nature, tax agencies often face a number of additional interesting challenges, including:
- You can’t please all of the people all of the time
- Don’t know your customer (DKYC!)
- Taxation is never going to win elections
Their customer base is, by nature, enormous. Between them, the 4 largest banks in the UK have 75% share of the market, by definition a national tax authority has 100% market share. It is also incredibly varied, and the rules that apply to one type of customer (e.g. an individual submitting a personal tax return) are completely different to another type (e.g. a large multi-national corporation).
Depending on the type of customer, it can be quite hard to build up any sort of understanding of what is “normal” behaviour for them. While some businesses will interact on a monthly basis either directly or through an agent, some individuals may only interact once every few years to query a tax code or something similar.
Being a government department, budgets are always tight. Spending money on a tax and revenue department is seldom popular and never “sexy”. This, coupled with their size, can often mean that it is harder for them to justify spending, or to be reactive to change (let alone proactive).
There is also the issue of the large quantities of personal data that they hold. Clearly, in today’s world, personal data is a valuable commodity and protecting access to it a legal responsibility. This, combined with the negative impact on public perception, means there is great pressure from the top to ensure data privacy, GDPR and other such laws and regulations are strictly adhered to.
So, how can tax departments start to tackle these issues?
Primarily, they need an approach to identity and verification that will allow them to leverage the huge range of digital interactions individuals make on a daily basis. If I try and create an account using stolen credentials that have been added to a global black list by another organization, that should be flagged for review. Similarly, for legitimate customers who use the same devices on a regular basis all over the internet, I should be able to streamline their interactions and allow a friction free user experience.
Secondly, given that 60% of all new account creations today are from mobile devices, we should be able to employ technologies that are able to use information about a user’s device to enhance information we already know. Combining device intelligence with physical identifiers in this way enables for greater accuracy and higher confidence that the identity presenting itself to register for the account is who they say they are. For example, if I try and register from abroad for online services with HMRC in the UK, and I mask my true location to try and appear as if I am located there, then this fact could contribute to an overall risk factor.
Finally, since there clearly is not a “one size fits all” approach to identity verification or risk assessment for taxation, government departments need to move away from the large, complex data transformation programs – often billed as a silver bullet for all the needs of an organization – and more towards a microservices type of architecture. This way organisations can deploy a suite of software applications with specialized business goals in a way that is more flexible and targeted.
Employing this approach would not only allow for the utilisation of crowd-sourced information, but also the tailoring of specific policies to the needs of a wide and varied customer base. Separate sets of rules allow for targeted fraud prevention across all tax avoidance and evasion whether it be opportunistic, organised or purely focused on the exploitation of individual loopholes.
Ultimately, it is worth remembering that the theft is from the taxpayer so, in essence, we are all victims of these frauds. Potentially if the general public were more aware of the problem it might be easier to justify spending on fraud detection and prevention systems as currently it is fundamentally undermining the UK tax base.