The Internal Revenue Service’s new security measures this tax season to counter identity theft and tax fraud appear to be having little impact so far on criminals, according to a security expert who monitors the online chat rooms where fraudsters swap taxpayers’ sensitive personal and financial information.
SecurityScorecard, a computer security service based in New York City, has detected a significant spike in chatter relating to IRS tax fraud this tax season, as in past years.
“Since it’s tax season again, we’re noticing again that they are focusing on defrauding the IRS and more specifically defrauding U.S. taxpayers and the services that they use to process their tax returns in order to basically fill prepaid cards and cash them out with the returns before the actual person is able to,” said SecurityScorecard chief research officer Alex Heid. “They do that using a series of prepaid cards that are set up with fake identities. They use the same information from the fake identities to file a tax return before the actual person does, and it usually requires the coordination of several individuals.”
Last year, the IRS teamed up with state tax authorities, tax software developers, and major tax preparation chains on a security initiative in which they share information to deter identity thieves (see IRS, States and Tax Industry Adding New Safeguards to Curb Identity Theft). As part of the initiative, the IRS, states and tax industry are sharing more than 20 new data elements on tax return submissions this tax season to help detect identity-theft related filings. In addition, the software industry is putting in place enhanced identity requirements and validation procedures for their customers to protect accounts from identity thieves.
Despite these steps, some major tax software vendors such as TaxAct and TaxSlayer have needed to send out warnings to thousands of customers this tax season letting them know their information may have been compromised (see TaxAct Detects Data Breach and Suspends Customer Accounts and TaxSlayer Experiences Identity Theft Attack). Nearly two dozen Liberty Tax Service franchises have also been caught sending high volumes of suspicious tax returns in the state of Maryland (see Maryland Suspends Liberty Tax Service Franchises).
SecurityScorecard found that criminals, mostly from overseas, are still finding ways around whatever new security measures are put in place and openly talking about their successes. Heid is seeing such discussions on underground forums on both the so-called “Darknet,” such as private invitation-only peer-to-peer networks, and the “Clearnet,” where information is unencrypted and more accessible.
“A lot of the forums are invite only and closed to the public, so they’re not being indexed on Google,” said Heid. “They like to keep a lot of their stuff closed and invite only where they’ll have multiple people vouch to even allow you access to the forum. We were able to gain visibility into these underground regions where we normally wouldn’t have access because, just as hackers are constantly attacking corporate targets, they’re also attacking each other. They brag about it. There are inter-crew rivalries constantly, and we just keep our ear to the ground for when they release the databases of certain forums. Once that happens, you’ve essentially got visibility into everything up to the administrator level for that forum. When people are members of one, they are usually members of multiple. We’re monitoring how they’re warring with each other and leveraging that to gain access.”
The extra security measures instituted by the IRS and the tax industry are ones that many identity thieves are already accustomed to skirting.
“A lot of banks and credit card companies and merchant processors use similar techniques, and fraudsters— essentially with just a little bit of persistence—are able to bypass them, usually by pulling combinations of credit reports, background reports and social media profiles on their targets,” said Heid. “By compiling all that information, they usually have enough info that they need to be able to answer the majority of the questions to gain access. So if that’s been implemented by tax return season, it doesn’t seem to be stopping them. It’s probably just another hurdle that they’re used to from the fraud that they’ve been doing.”
Scammers arm themselves with what they call “fullz,” anonymized debit cards, and a list of tax-filing websites. They then quickly file as many tax returns as possible before the legitimate tax returns are filed by the actual taxpayers so they can receive the cash refund on their debit cards, which can be cashed out anonymously. There is a time delay between the time the IRS processes a tax return and the time when the information is validated. Scammers take advantage of this time delay in order to steal millions of taxpayer dollars.
The IRS’s new security measures aren’t so new to the scammers, according to Heid. “It seems like they’re just late to the game in adopting these standard practices, but the underground has already had evasion methodologies and practice for years where it’s just considered part of the hack to pull a background report and profile, what they call ‘doxxing,’” he said. “In the underground the slang term for a record of information—name, date of birth, Social Security Number, mother’s maiden name, address—that’s called ‘fullz.’ In order to fully utilize the fullz, they need to doxx their fullz, and once they doxx the fullz, then they have a profile that they can use to be able to answer any verification questions.”
The IRS did not immediately respond to a request for comment.
The fraudsters don’t need to be sophisticated hackers to access the tax information. “They’re not even so much penetrating them, as they’re just using the service as intended and they’re masquerading as a legitimate user,” Heid explained. “So they’re filing the tax return as a normal person would file a tax return. It’s just not their information that they’re using, and it’s not the person’s bank account that it’s being paid out to. The fraud measures of certain tax places are easier to bypass than others. We’ll see some discussions on ‘cash out methodologies’ using certain vendors. That’s what they’ll call it. They’ll call it a cash out method. ‘I need a cash out method for H&R Block. I need a cash out method for TurboTax,’ etc.”
Heid doesn’t believe the hackers he is monitoring on the underground forums are the same scammers who are calling taxpayers pretending to be from the IRS and harassing them into making payments.
“It’s a little out of their modus operandi, and sometimes you can even find discussions where they’re talking about receiving those calls and how they messed with the scammer,” he said. “The guys on the hacking forums, their modus operandi is more along the lines of phishing, exploit kits, botnets and credit card fraud. The call center stuff is usually a different type of criminal mind.”
The New York State Department of Taxation and Finance warned Wednesday that the phone scammers are also targeting tax preparers this season, saying, “Recent scams are targeting the preparers via phone calls demanding client information. In these cases, scammers pretend to be from the IRS in hopes of gaining usernames and passwords to taxpayer accounts.”
The new security measures put in place by the IRS, the states and tax industry are still lagging behind the methods used by the criminals. “Think about it along the lines of credit card fraud,” said Heid. “For almost 25 or 30 years, credit cards didn’t have the little three-digit code on the back, but in the mid-2000s they put the three-digit codes on the back and thought that would eliminate credit card fraud. Now they’re putting chips in the credit cards. Well, it’s still going on. It’s all reactionary instead of analyzing the root cause.”