Fraudulent tax returns are nothing new. Last year, the Alabama Department of Public Health was the victim of a data breach that lead to the filing of fraudulent tax returns. The information compromised in this breach – which included names, birthdates, and Social Security numbers – was used in these fake tax return filings.
In October 2013 two nurses’ aides from Sentara Healthcare in Virginia had accessed thousands of Electronic Health Records, stealing information from about 200 patients so they could file fraudulent tax claims. The nurses were caught, fired from their positions within the company, and charged for their crimes.
In the case with the nursing aides, they were able to use their privileged access to obtain patient records. That sounds like the easiest way to access this information, but how do other criminals go about this?
“There are two parts to the problem that I see,” said Sol Cates, CSO of Vormetric. “So there is the I have to get the source of the information. So if I want to file a tax return on behalf of somebody else, I would have to have a lot of information about them, right? A lot of that information is really easy to get. There is a black market that services that really well. So there is all this information out there already, and criminals can easily find it and benefit from it.”
“The second problem is actually detecting the fraud. So now that they have that information, they are going to try and find some way to leverage it. In tax fraud cases, what they are doing is submitting tax returns on behalf of those individuals, and they are trying to do it as early as possible before the real person can get their tax return in. How they are actually benefiting from it, I haven’t actually seen enough details on how they are actually transactionally getting cash back out, but my guess would be that they are some how trying to find a way to do this digitally. They are going back to single-use accounts and those loaded prepaid cards and they are using those or finding a way to leverage those and sell them back out. So they are trying to find a way to get that tax return revenue into an account that they can leverage as soon as possible.”
The Problems with Detection
So criminals are able to obtain this information pretty easily. Is there anything in place to detect these fraudulent claims? It appears that Intuit and the Utah State Tax Commission were able to detect the fraudulent tax returns early enough to mitigate the damage.
“The detection part is the tricky part,” Cates said. “How do you determines somebody’s legitimate tax return versus fraudulent? I find that interesting, I don’t know the answer as to how one determines that other than trying to find behaviors that are outside of what somebody typically does. In tax season, it is only a once a year transaction usually for folks, so you don’t have people learning about an individual’s behavior – where do they file their taxes, where do they do it from, does a third party do it on their behalf, those types of things. I think it is very hard for organizations to find that fraudulent activity.”
Protecting Yourself and Your Data
A lot of the advice we hear from experts has to do with how a user interacts with their computer. In a recent interview with TripWire’s Security Analyst Ken Westin, I asked him what is the one thing hackers are looking to exploit or target. His answer was, “People. People are the weakest link.”
If we are the “weakest link” in security, what can we do to protect our identities and data when it comes to tax time? One expert talked about what we throw in the trash and the information we put on our computers.
“There is so much information that gets sent to us from banks and financial institutions trying to peddle us credit cards or other offers,” said Ethan Wall, social media law professor and attorney and the creator of Social Media Law and Order. “We crumple these up, we tear them up, we toss them and we think it is going to go safely into some garbage truck or incinerator and be gone forever. But, there is a reason why hackers are still in business because we are leaving a very lucrative trail of our data online and in person. We have to be extra careful when we are throwing away mail that we have received.
Wall said paying attention to the public computers you are logging into and deleting your browser data on these computers is also important.
“Even more importantly, we must be careful every time we throw away some type of electronic device that has some sort of personal information on it. It’s an old laptop, an old PC, that iPhone you have broken the screen on for the ninth time. When we throw this stuff away, there is so much data on there that if it gets in the hands of someone else it can cause a huge issue for us. We have to make sure we are very careful of what we throw away, and make sure we don’t throw away our identity in the process.”
The IRS also provides an Identity Protection Personal Identification Number (IP PIN). The IRS website describes the IP PIN as “a six-digit number assigned to eligible taxpayers that help prevent the misuse of your Social Security number on fraudulent federal income tax returns.”