Krebs on Security writes: Jan. 31 marked the start of the 2014 tax filing season, and if you haven’t yet started working on your returns, here’s another reason to get motivated: Tax fraudsters and identity thieves may very well beat you to it.
According to a 2013 report from the Treasury Inspector General’s office, the U.S. Internal Revenue Service (IRS) issued nearly $4 billion in bogus tax refunds in 2012. The money largely was sent to people who stole Social Security numbers and other information on U.S. citizens, and then filed fraudulent tax returns on those individuals claiming a large refund but at a different address.
There are countless shops in the cybercrime underground selling data that is especially useful for scammers engaged in tax return fraud. Typically, these shops will identify their wares as “fullz,” which include a consumer’s first name, last name, middle name, email address (and in some cases email password) physical address, phone number, date of birth, and Social Security number.
This underground shop sells consumer identity data, catering to tax return fraud.
The shop pictured above, for example, caters to tax fraudsters, as evidenced by its advice to customers of the service, which can be used to find information that might help scammers establish lines of credit (PayPal accounts, credit cards) in someone else’s name:
“You can use on paypal credit, prepaid cards etc. After buying try to search by address and u can see children, wife and all people at this address,” the fraud shop explains, advising customers on ways to find the names and additional information on the taxpayer’s children (because more dependents mean greater tax deductions and higher refunds): “It’s great for tax return method, because u can get $$$ for ‘your’ children.”
This particular service is not unique; it currently offers fullz information on more than 13,000 U.S. citizens. As such it is just an example, and a small one at that; in 2011, I wrote about a similar “fullz” service called Superget.info, which sold information on hundreds of thousands of Americans — if not millions. In October 2013, I reported that this same Superget.info service actually bought its information from a company that was purchased by Experian, one of the three major credit bureaus.
If you become the victim of identity theft outside of the tax system or believe you may be at risk due to a lost/stolen purse or wallet, questionable credit card activity or credit report, etc., you are encouraged to contact the IRS at the Identity Protection Specialized Unit, toll-free at 1-800-908-4490 so that the IRS can take steps to further secure your account.
That process is likely to involve the use of taxpayer-specific PINs for people that have had issues with identity theft. If approved, the PIN is required on any tax return filed for that consumer before a return can be accepted. To start the process of applying for a tax return PIN from the IRS, check out the steps at this link. You will almost certainly need to file an IRS form 14039 (PDF), and provide scanned or photocopied records, such a drivers license or passport.
The Federal Trade Commission recently held a Tax Identity Theft Awareness Week to raise public awareness on this issue. Check out the FTC’s homepage on this for additional resources and information about this increasingly common form of fraud.
This underground shop sells consumer identity data, catering to tax return fraud.
It should be extraordinarily easy for the IRS to compare signatures from several years electronically and bounce the return if there’s no match. Similarly data mining can compare the address for the refund with the address on the W-2, 1099s etc. Any discrepancies cause a reject. Direct deposit bank account submissions can be equally easy to validate.
I fail to see why the IRS can’t put in simple checks to safeguard both the process and the public.
It does not really matter which company is neglecting security; as long as they are not liable for the results, there will be very little monies spent for security.
People move. Electronic returns are demanded by the public, yet not possible to sign- and since the TinFoilHat crowd thinks it’s t”ZOMG TEH MARK OF TEH BEAST!!”, you can’t even have a cryptographic national ID card which would enable a high degree of certainty as to the filer’s identity.
I carry my Medicare care with me because of doctors’ visits and frequent trips to the ER.