September 20, 2018
Why This Could Be the “Worst Ever” Season for Tax Fraud
Posted May 1, 2018
This year’s weird D.C. holiday-affected tax filing deadline is now behind us, and as millions of filers wait for refunds, an ominous and looming fact could affect that much-anticipated refund check. There was a staggering 60-percent increase in stolen taxpayer data from accounting and tax preparation services, which could spell huge fraud losses from identity-related tax fraud this season.
In February, the IRS began warning tax professionals of a surge in “New Client” phishing attacks that appear to come from taxpayers inquiring about tax preparation services, often with an “IRS notification” or “prior-year tax information” documents attached.
When opened, the documents deliver malware into preparer’s computer systems, enabling crooks to steal taxpayer information, the preparer’s E-File account number (eFIN), and more.
Normally that would be it. The fraudsters would steal the credential and either change the filing and the beneficiary bank account in the filing itself or change the recipient’s physical address for live checks. And just like that, the money never arrives…bye bye refund. This year, however, the fraudsters have adopted a new tactic and, in the process, have been throwing a sophisticated curveball: This year, they’re having elicit refunds deposited into the real taxpayer’s actual bank account. Once it’s there, these con artists impersonate IRS or law enforcement representatives and contact the taxpayer directly, asking them to “return” the “erroneous refund”— to them.
Combined with other worrisome trends, 2018 is shaping up to be “the worst ever” for tax fraud according to USA Today.
Old Scams, New Twists
So, what’s going on? First, there’s the record massive numbers of data breaches we’ve seen over the past year.
Today, fraudsters can easily phish their way to the personal information they want or buy it on the dark web, thanks to a continuous stream of breaches, including last year’s breach at a major credit bureau, which compromised the personal identity information of 143 million Americans. Every hour of every day, another 211,715 personal identity files are lost or stolen.
As a result, 6.65 percent of consumers became new victims of some form of identity fraud last year, according to Javelin Research. For the first time ever, Social Security numbers were compromised more than credit card numbers. And so far, the damage from these events has topped $16.8 billion in losses, with more pain to come.
That’s where sophisticated schemes like the ones we’re seeing this tax season come in. As Forbes points out, it’s much more difficult to identify and halt fraudulent tax returns when they’re using real client data, such as income, dependents, credits and deductions—and refunds are deposited in the appropriate accounts.
By why go to all the trouble? As it turns out, another contributing factor to increased risk this year may in fact be the IRS’s own, surprisingly successful efforts to reduce identity-related tax fraud.
Necessity is the Mother of Deception
Indeed, what may be surprising to some is that the IRS recently reported there was actually a 40-percent decline in the number of tax fraud victims in calendar year 2017, hitting approximately 242,000, compared to 401,000 the year before.
In all, the IRS and its partners in state governments and financial services say joint initiatives helped identify and stop 787,000 fraudulent returns last tax season, totaling $4 billion in potential losses. In fact, from calendar year 2015 through 2017, fraudulent returns fell a whopping 57 percent, preventing what would otherwise amount to $20 billion in losses.
On the surface, a big win against the fraudsters. So, that’s all good, right? Undoubtedly. But as USA Today points out, what’s still unclear is how much money criminals did succeed in stealing during that time.
Far worse: The successes themselves seem to have inspired cybercriminals to develop inventive new lines of attack like the Erroneous Refund scam, which is clearly designed to circumvent the protections put in place by the IRS and its partners.
Fighting the increasing level of sophistication will be no small challenge.
More Signal, Less Noise
What can government agencies and their financial industry partners do to mitigate these ever-evolving threats?
At ThreatMetrix, we’ve been working successfully with government agencies, financial institutions and others to overcome these issues by seamlessly authenticating the vast majority of legitimate identities and pinpointing fraud.
Through our dynamic, digital identity solutions and the power of our Digital Identity Network, organizations typically find that approximately 92 percent of new or returning customers are legitimate individuals and that another 2 to 3 percent are clearly fraudulent. The remaining 5 to 6 percent require investigative workflows.
The investigative workflows are facilitated by leveraging the identity intelligence and advanced linking technologies from LexisNexis Risk Solutions, which strengthens the digital identity with more than 400 million records to help tax agencies authenticate identities and screen tax refund requests before payment is made. This powerful combination of digital real-time identities combined with physical tax attribution data cannot be understated…it is a massive first step in protecting filers and the affected tax agencies.
Not that the battle will always be easy, of course. Today’s phishing epidemic—including fake messages appearing to come from popular tax software providers—won’t vanish anytime soon. And crooks will always try to circumvent new defenses erected against them.
But that doesn’t mean filers should be hand wringing wondering if the next “worst year ever” for identity-related tax fraud will impact their refund. The power of digital identities, combined with millions of salient records, will keep taking a bite out of the fraudsters…making them less and less relevant.