ThreatMetrix US Patents Press Releases

With the April 15 Tax Deadline Looming, ThreatMetrix Says Taxpayers Need to be Aware of E-Filing Risks

Posted April 3, 2013

Account Takeover: How Sophisticated Cybercriminals Steal Your Tax Refund

San Jose, CA – April 3, 2013 – ThreatMetrix™, the fastest-growing provider of integrated cybercrime prevention solutions, has identified account takeover as a leading cause for tax-related identity theft. Account takeover occurs when a thief uses stolen user credentials to login to a website.

The number of identity theft cases detected by authorities sky-rocketed nationwide to more than 1.2 million cases in 2012, according to the Treasury Department. Over the next five years, the crime will cost the nation an estimated $21 billion.

Cybercriminals most commonly get ahold of taxpayer information through seemingly authentic IRS popups, phishing emails and spam messages. If a taxpayer clicks on one of these, they receive an email “from the IRS” indicating that he or she has underreported his or her income or needs to enter further personal information. Once the taxpayer clicks on the link provided, they will either be prompted to enter personal information or to download a tax statement. If either action is taken, the user is subjected to account takeover.

Other ways account takeover can occur include:

  • A data breach at a payroll processing company in which a fraudster uses a legitimate taxpayer’s credentials to file on his or her behalf.
  • Taking over an existing account from previously e-filing with a tax preparer site (e.g. Intuit, TurboTax). This can be done by guessing a taxpayer’s email address and then either brute forcing a password or obtaining it from a previous site the taxpayer logged into (e.g. LinkedIn).
  • Using malware to steal login credentials to access a partially saved tax return on a preparer site.

“The reason so many people fall victim to this trick is that fraudulent emails and websites often look very similar to those from the IRS or tax preparation sites,” said Bert Rankin, chief marketing officer, ThreatMetrix. “Today’s sophisticated cybercriminals cash in on a refund when e-filers basically hand them their sensitive data and credentials online. An easy-to-miss indication of a malicious message is the physical address of the link the user clicks.”

Once a cybercriminal has obtained a taxpayer’s personal information, it is then used to login into the IRS website or a tax preparation site and falsely file tax forms. Exploiting the slow moving tax refund process, cybercriminals often collect money before victims or the IRS even discovers the fraud. In many cases, even if there isn’t a refund coming to the taxpayer, the hacker can engineer it so they receive one.

“Account takeover is not a new phenomenon – many of our e-commerce and online banking clients work with us to avoid this kind of identity theft, which can cause significant damage to all involved. We work with our clients to, for example, detect when someone is using the same laptop to file multiple statements. This raises a red flag that the user may actually be a fraudster,” Rankin said. “Although no individual or organization is completely safe from identity theft, taxpayers can do their part by being aware of where they enter sensitive tax-related information.”

According to the Internal Revenue Service, other tax scams to be aware of when e-filing include:

  • Identity Theft – An identity thief uses a legitimate taxpayer’s identity to fraudulently file a return and claim a refund.
  • Return Preparer Fraud – Fraudulent preparers solicit unsuspecting taxpayers to file with them, which results in refund fraud or identity theft.
  • “Free Money” Tax Scams – Advertisements or flyers promise refunds to individuals who have little or no income and normally don’t have a tax filing requirement.

About ThreatMetrix

ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches. Key benefits include an improved customer experience, reduced friction, revenue gain and lower fraud and operational costs. The ThreatMetrix solution is deployed across a variety of industries, including financial services, e-commerce, payments and lending, media, government and insurance.

For more information, visit or call 1-408-200-5755. Join the cybersecurity conversation by visiting the ThreatMetrix blog, Twitter, LinkedIn and Facebook pages.

© 2016 ThreatMetrix. All rights reserved. ThreatMetrix and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.


Media Contact
Jaci Robbins
Tel: 408-200-5718

close btn