As the April 15 deadline to file taxes for fiscal year 2014 approaches, the persistent scourge of tax-refund fraud is a vexing issue that law enforcement entities, advocacy groups, and tax-related services companies have at the top of their agenda.
At the heart of the issue is a disturbing jumble of distressing dynamics. Identity thieves have gotten bolder and more creative at getting the desired details on individuals – typically Social Security number, address and a utility bill – to be able to file a fictitious tax return on their behalf.
At the same time, these groups are becoming more savvy, able in some cases to evade the added scrutiny of brick-and-mortar tax preparers by filing online, referred to as e-filing, so they can get more fake returns to the IRS more quickly, increasing their chances that some false filings will actually get processed and they will make a hefty payday.
As well, the IRS in most cases processes returns and sends checks for individuals before they have a chance to compare those figures with the companies that the filers appear to work for, which could more effectively uncover when returns don’t make sense.
The net result: the IRS is expected to incur tens of billions of dollars in losses annually in the coming years and duped individuals will lose out on thousands of dollars or more in desperately needed funds while opportunistic fraudsters and larger organized crime groups snare illicit income to fuel their nefarious networks.
Neal O’Farrell has fought cybercrime and identity theft around the world for more than thirty years.
He has collaborated with national governments, the intelligence community, financial institutions, and thousands of victims to found the non-profit Identity Theft Council, based in California.
In response to victim outcries, the advocacy group was created in 2010 to form a national network of regional partnerships to provide local and in-person support to victims, something that O’Farrell believes is in dire need.
“This national problem affects every consumer and it is all taxpayer money that is being funneled away,” he said.
“The best way to combat a conflict is slow down,” O’Farrell said. “Slow down before you create a weak password or click on a bad link. Slow everything down and it would give the IRS time to verify you’re the person you claim to be.”
In 2013, the IRS lost an estimated $5.8 billion to fraudulent refunds, according to the latest data available. The agency reported $24 billion worth of blocked attempts at claiming fraudulent refunds that same year.
While the agency is currently working to combat fraud this filing season, the IRS expects tax refund fraud to grow to an unprecedented $21 billion loss by 2016. Last month, a recent surge of fraudulent state tax refund claims fraudsters submitted through an online tax preparation site has caught the attention of the IRS.
Last week, the US Internal Revenue Service met with major tax preparation firms, payroll and tax refund processors and state tax administrators to discuss a troubling trend that has affected thousands of American taxpayers and cost the United States billions each year.
Criminals get past tax preparation services and tax agency controls
E-filing systems and tax preparation firms are confronting a problem that is part of the nature of their business – providing its customers a convenient, fast way to file their taxes while assuring that those services are secure and do not provide a channel for financial criminals.
Recently released government and private sector data on identity theft and tax fraud returns are proving that these systems are not sufficiently secure, creating a double jeopardy situation for clients who are at risk of getting their identity stolen and then having that information sold to commit other financial crimes.
For financial fraudsters, a social security number can be a golden ticket to committing identity theft.
A utility bill, similarly, can be exploited to create bank accounts and other channels to siphon and steal millions from vulnerable victims, who often are not even aware that they are being virtually mugged.
Experts say that a flawed tax-filing system and lack of coordination among the private sector and government agencies are among the many factors fueling identity theft and tax fraud.
Meeting with IRS, tax preparation firms, and tax administrators shows faults in verification, detection and prosecution
Agency commissioner John Koskinen addressed the issue at the March 19 meeting, announcing that the participants of the meeting would set up three working groups that will focus on taxpayer authentication, fraud schemes, and information sharing among the private industry, state administrators and the IRS.
State tax administrators and tax preparation firms mentioned the difficulty of coordinating their cybersecurity efforts with those of the IRS, citing a lack of effective communication in the meeting.
The government agency, which has been facing a slashed budget due to political battles on Capitol Hill, is struggling to take down a monster of a crime, which is increasingly easy to commit and to get away with, particularly behind safety and anonymity of their computers.
Over the past five years, the IRS has had its budget slashed by $1.2 billion. The agency estimated that $82 million in additional funds could prevent nearly $1 billion in identity-theft related losses by the year 2018.
A lack of resources to investigate and prosecute the crime are exacerbated by shortcomings in security for online preparation services that are failing to accurately verify the identities of their customers.
Filing a false return requires basic identification information that can be purloined by even the most amateur hackers and traditional mail-sifting ID thieves. A stolen name, date of birth and Social Security number can do a lot of damage, according to experts.
Another issue is that although the IRS accepts filings as soon as Jan. 1, the IRS often does not receive employers wage information until late spring, which makes it difficult to detect fraudulent claims.
Currently, the flaw is that the IRS doesn’t even begin checking employer submitted data with tax returns until the summer, long after refunds are issued.
Even if red flags are detected as the refund is requested, checks are still issued before the agency follows up on the suspicions.
IRS commissioner John Koskinen announced that a potential solution would be to delay refunds until the agency can reference W-2 information, or to speed up W-2 reporting from employers.
Taxpayers would apparently prefer to wait for their tax refunds if it meant increased security and prevention of fraud, according to a survey by H&R Block, a major tax preparation firm. To change the delivery of W-2 information to the IRS, Congress would have to act – but with the gridlock facing budgetary issues, an immediate resolution seems uncertain.
Although there have been allegations that tax preparation firms are complicit in tax refund fraud and get a cut from illicit profits made by fraudsters, the commissioner of the IRS dismissed this claim, citing that criminals usually have the preparation fee deducted from the refund.
Koskinen also said that the agency will try to improve security measures on pre-paid debit cards to issue refunds to taxpayers without bank accounts, which often provide an undetectable vehicle for fraudulently gained funds.
Financial institutions use KYC and CDD to prevent fraud before funds siphoned away
For criminals who are constantly looking for the path of least resistance, online tax filing systems prove to be an easy way to establish a fake identity and gain profit from it.
While the IRS has put some standards in place for tax preparation firms that urge customer due diligence, it is often difficult to authenticate that the person on the other side of the computer is who they say they are.
Debra Geister, manager at Navigator Consulting Group, LLC, and an expert in fraud patterns and organized crime rings, says financial institutions and law enforcement can do a better job at communicating to close these gaps in customer due diligence.
Working at Metabank, one of the largest prepaid card distributors in the US, Geister worked with the anti-money laundering/counter-financing of terrorism (AML/CFT) compliance department to detect fraud patterns through customer monitoring and transactional data, often detecting tax fraudster rings who would steal identities to file fake tax refunds.
“We saw that at-risk identities where people who were not necessarily focused on their tax refund, typically the elderly,” said Geister. “We would see an elderly person that lived in Vermont their whole life, and all of a sudden filed a tax return from Texas for $10,000. That’s completely out of character,” Geister said, pointing out that knowing-your-customer is key to detecting the red flags of identity theft.
Once the fraudster files the tax return, and the IRS to distribute the funds, the money is gone and it is virtually impossible for the victim to be given retribution. However, if banks and financial institutions can detect a fraudster before the funds are disbursed, they can file a SAR, or communicate directly with law enforcement, to make sure the funds do not leave the IRS.
Geister said that prepaid cards are not the problem – the issue is the way the cards are acquired, the customer due diligence process at the financial institution, and the way the funds are approved. From the financial institution’s perspective, they can prevent a fraud by not just establishing a valid identity, but also authenticating it with additional data.
“The first thing the bad guys are going to do is pull a credit report or public records to confirm the ID. You have to look at email, geolocation, IP addresses, even phones, which can tell you a lot about the risk profile of the customer,” Geister said.
With an effective and comprehensive know-your-customer strategy, financial institutions can actually be the key to stopping ID theft and subsequent tax fraud.
“Fraudsters have a lot of resources and run their operations like major corporations in some cases. We have to put the same level of effort in and keep up to understand what law enforcement is seeing, what the intel looks like, and how that manifests itself in the financial industry.”
IRS fighting an army of ID thieves and tax fraudsters in spite of lack of resources and program flaws
Currently, the Criminal Investigation (IRSCI) division of the IRS is in charge of detecting and investigating tax fraud and other financial fraud, including identity theft, under its Questionable Refund Program.
Other than dealing with identity theft intended for false tax returns, the program also handles employment tax cases, abusive return preparer schemes, and narcotics and money laundering investigations.
CI has four Scheme Development Centers across the US which strive to uncover refund fraud. After the evidence is collected and examined by CI, the prosecution of the crime is referred to the US Attorney’s Office, commonly under Title 18 U.S.C. §1028 .
The statute is usually paired with another violation that enhances the charges under tax, money laundering or conspiracy violations.
Richard Weber, the Chief of Criminal Investigation, said the IRS is making remarkable improvements in identifying Stolen Identity Refund Fraud, referred to by the agency as SIRF, by enhancing screening efforts to detect and prevent false claims from succeeding.
“The challenge is to identify the constantly changing techniques used by the ID thieves,” Weber said. “We monitor and identify changes in their modus operandi in order to detect and prevent emerging criminal schemes. Identifying the anonymous thieves utilizing taxpayer identities is becoming increasingly more difficult. To do this, we trace the source of the SIRF returns and follow the money and cyber trails back to the criminals. These investigative efforts allow us to pierce the ID Thieves anonymity and bring them to justice.”
IRS CI is also part of the Department of Justice Identity Theft Interagency Working Group, which works with other federal, state and local law enforcement agencies on joint investigative efforts involving identity theft. Weber said collaboration with the private sector has increased over the past few years, including working together with return preparation services and financial institutions.
“In order to eliminate SIRF, these efforts need to continue. In February, President Obama signed an order promoting private sector cybersecurity information sharing and called upon the Department of Homeland Security to establish information sharing and analysis organizations,” Weber said. To see a full Q and A with the Chief of IRS- CI, click here.
In fiscal year 2014, there were 1,063 identity theft investigations initiated by IRS CI, with 748 of those cases sentenced.
Although the prosecution rate is admirable, experts believe millions of individuals in the US are victims of identity theft, pointing to the size of the problem.
In 2013, there were almost two million suspected tax identity theft incidents, compared with about 440,000 in 2010, according to the Treasury Inspector General for Tax Administration.
Advocates for ID theft victims urge hand-in-hand collaboration between private and public sectors
The Identity Theft Council plans to persuade at least 100 cities across California and around the country to raise community awareness about identity theft and online safety in anticipation of the tax-filing deadline.
Educating the public about identity theft and ways they are more vulnerable to the crime is important, O’Farrell believes, though most of the work has to come from the government and private sector.
He believes that improving security measures on E-filing tax programs and IRS verification programs could prevent fraud from happening.
“To get a credit report, you have to answer at least four verification questions,” he said.
“These are Stone Age verification processes and the IRS still doesn’t have this in place. That only slows down the process for only a few seconds. If they slow down the speed, they can get the W-2 from employers and stop the fraud,” O’Farrell said.
One of the ways that the IRS can arm themselves with more modern, more effective weapons against tax fraud and identity theft is to collaborate more with the private sector, especially with the cybersecurity field.
“There are so many great minds in security,” O’Farrell said. “The IRS should bring in experts [who] can guide them.”
Although the agency has had budgetary cuts in recent years, O’Farrell said the problem is not the lack of money, but knowing how to use it in the correct way to address the growing epidemic of identity theft and subsequent tax fraud.
“Before they spend a dime on security and go down the wrong path with the wrong vendor, I think we need a new approach. Instead of spending right away, they should take the time to know how to spend it,” he said, noting that the IRS must be creative to stretch dollars to fulfill their core mission of collecting taxes, but also allocating dollars to frustrate fraudsters.