Menu
Tax Notes logo

IRS Refund Fraud Progress May Be Undermined by Database Thefts

Posted on Jan. 29, 2020

The IRS has made great strides in reducing incidents of stolen identity refund fraud, but its efforts may be undercut by breaches at unsecured private databases and by a new wave of identity theft schemes.

“The IRS has progressed leaps and bounds in their processes” to detect tax-related identity theft, compared with several years ago, said Eva Velasquez, president and CEO of the Identity Theft Resource Center (ITRC). The ITRC released its 2019 End-of-Year Data Breach Report January 28.

The Treasury Inspector General for Tax Administration report on the 2019 filing season, released January 27, showed 58,061 fraudulent returns identified in 2019, compared with 175,106 in 2017; the IRS stopped $321 million in fraudulent refunds in 2019, compared with $1.83 billion in 2017.

“The IRS put a lot of resources into closing that [e-file] door,” using fraud analytics, improved detection processes, and public outreach to combat refund fraud, Velasquez told Tax Notes.

While the tax agency deserves praise for its efforts, it also needs to remain vigilant against the ever-evolving criminal threat, Velasquez said. More needs to be done, especially in educating taxpayers about the risks and encouraging them to respond proactively, she added. “I think the worst thing we could say is ‘mission accomplished’ and we’re done here,” she said.

Leveraging Information

The IRS’s progress may be undermined by data breaches at government agencies, healthcare providers, banks, and other financial institutions that warehouse unsecured or undersecured personal identifying information (PII), Velasquez said. Those breaches expose sensitive and nonsensitive PII that can be used to steal tax refunds or to get more complete information about a taxpayer, she said.

The ITRC report cataloged 1,473 publicly reported data breaches last year, up 17 percent from the 1,257 breaches reported throughout 2018.

The ITRC, a San Diego-based nonprofit offering consumers free help with identity theft issues, has been fielding fewer complaints from taxpayers about a lack of assistance from the IRS, Velasquez added.

While the tax agency wasn’t listed among the breached entities cataloged in the ITRC report, more than a dozen tax businesses were. H&R Block, TaxAct, and Drake Software, among others, reported suspect activity; so did Walmart, Apple, Duke University, and the Carlyle Group. Capital One bank alone was responsible for 99 percent of the 100 million sensitive PII records exposed by the entire banking industry in 2019, the ITRC report said.

One tax business disagreed with its designation on the breach list. Jami Gibson, vice president of internal operations at Drake Software, said her company learned that one employee, and perhaps as many as three, may have fallen for a phishing scam in early 2019.

Drake hired a third-party investigator who determined that no PII had been breached, Gibson said. Meanwhile, Drake notified its software users potentially at risk of exposure and initiated other security-enhancing measures, she added.

New Threats

Identity thieves are making new strides in breaching unsecured public databases, according to the ITRC report.

Cloud service providers may allow users to upload databases, applications, and other software, but leave the users to install their own security protocols. In 2019 First American Financial reported that 885 million records were exposed through an unsecured database breach, the ITRC report said.

“The increasing number of databases with no default security indicates cloud providers should force customers to install minimum levels of security to prevent accidental exposure,” the report advised.

The ITRC also documented an increase in “credential stuffing” by thieves leveraging partial information to complete profiles of their identity theft targets, Velasquez explained.

“It is a misconception that only financial information like payment card numbers or bank accounts has monetary value to data thieves,” the ITRC report said. “The theft of email addresses and passwords from businesses of all sizes fuels credential stuffing attacks where criminals use automated systems to attempt to access accounts at a business using the stolen information.”

One noted victim of a credential stuffing attack, according to the ITRC: Intuit, the maker of TurboTax software.

Rick Heineman, vice president of corporate communications at Intuit, said, “If Intuit fraud detection discovers what it believes may be unauthorized access to a customer’s accounts as a result of fraudulent account log-ins, we take immediate action including steps to secure our customers’ accounts and information.”

“As Account Takeovers are not data breaches but utilize legitimate log-in credentials that may have been obtained from any number of non-Intuit sources, we remind our customers regularly of security best practices, including those listed on the Intuit Online Security Center,” Heineman said.

Copy RID