Today, millions of Americans will mail their last-minute tax returns to the Internal Revenue Service. Tomorrow, many of those citizens will discover that an identity thief actually filed a return on their behalf months ago — and pocketed their tax refunds.
Although the IRS lacks national security secrets or military power, easy scams and easy money have placed the tax bureau on the front lines of cybersecurity. Every year, as the middle of April approaches, cybercriminals transform stolen personal data into cash by tricking the American taxman with false tax returns.
A report by the Government Accountability Office found 245,000 cases involving identity-theft tax-return fraud in 2010 alone.
The IRS has gotten very good at identifying these false filings, but as always in the world of cybercrime, the villains remain one step ahead.
"The IRS does get hit. There are fake tax return scams all the time. The IRS is a big cash cow for a lot of cybercriminals," said Steve Santorelli, a former investigator with Scotland Yard and Microsoft, and now director of global outreach with the Florida-based nonprofit Internet security-research group Team Cymru. "But the IRS is very smart about how it monitors its systems; it has many smart people watching its systems. I'm surprised they don't get hit more."
As with so many other online crimes, the main scam run against the IRS begins with stolen personal information. A criminal with a stolen Social Security number, or, better yet, a previous year's tax return, uses commercial tax-preparation software, such as TurboTax, to file an early tax return on behalf of the unwitting victim.
The criminal organizes the return so the IRS will issue a refund, and then pockets the money, Santorelli explained to SecurityNewsDaily. To a criminal running this scam, an old tax return can produce much as $10,000 in illegal profit.
Generally speaking, the criminals keep the refunds small, so as to avoid provoking audits. The profit comes from running a number of these scams at a time, an easy feat thanks to the lack of technical know-how needed to pull this off.
"I'm impressed with how the IRS counters this, but you don't need to be a career cybercriminal to do this. You can be a regular criminal and do this," Santorelli said. "If you can open a PayPal account, you can have a go at the IRS. The skill barrier to entry is very, very low."
To counter the threat, the IRS uses the same methods banks use to identify identity theft. The agency will look for filings originating at foreign Internet addresses, for radical changes in income or for other irregularities that differ from the well-understood patterns followed by regular citizens.
You can avoid becoming a victim by following basic rules of identity protection. Keep old tax returns in a safe place; give their digital versions fake names on your computer; shred financially sensitive documents; and never give your Social Security number to anyone other than your boss or the government.
Taxpayers who think someone else may have fraudulently filed a return in their name should call the IRS's identity-theft hotline immediately at 1-800-908-4490. The IRS Taxpayer Advocate Service is also available.
So far, the IRS has gotten very good at differentiating between honest and fraudulent filings. However, Santorelli said, with so many filings, and taxpayer demand for easy e-filing, cybercriminals will continue to defraud the IRS for years to come.