X

These hackers want to do your taxes, and take your refund too

You might hate doing your taxes, but with $5.8 billion to gain, criminals will gladly file them.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
5 min read
Aaron Robinson/CNET
Watch this: US tax filing fraud on the rise

Tax season is also hacks season.

While more than half of Americans hate having to do their taxes every year, hackers online will gladly file taxes on your behalf -- as long as they can steal your tax refund, too. On the dark web, thieves can buy and sell personal financial information to file taxes using other people's names for as low as $40 in bitcoins. That can make for a hefty profit, as the average tax refund for this year is $2,900, IRS Commissioner John Koskinen said Thursday at a Senate Finance Committee hearing.

The tax deadline this year is April 18, but thieves looking to steal tax returns likely started as early as January, sending about 300 to 1,000 scams a week. If they don't file a fraudulent tax return before the real person does, the thief simply moves on to the next victim.

"The best thing, the only thing the consumer can do to protect themselves is to file very early," said Haywood Talcove, CEO of LexisNexis' government risk solutions unit.

taxhacker02.jpg

Hackers have stolen $3.8 billion from fraudulent tax returns, using information they dig up either on the dark web or through phishing.

Aaron Robinson/CNET

As of March 31, the IRS has received more than 93 million tax returns, and expects 152 million once tax season wraps up. While it's issued more than $213 billion in refunds, a growing percentage of that will end up going to hackers and thieves filing fraudulent returns. Phishing and email scams are netting millions of victims for tax refund fraud, yet another identity theft scheme people need to worry about in their inbox.

Phishing has become a powerful tool for hackers, in areas from the personal to the political, as in the case of the smoking gun behind the Russians hacking the 2016 presidential election. Hackers have been able to use stolen information in phished accounts to create fraudulent credit cards, causing nightmares for millions of Americans.

Criminals attempted to steal $30 billion through identity theft tax refund fraud in 2013, with the IRS losing $5.8 billion in fraudulent refunds, the agency reported. On April 6, IRS chief John Koskinen said hackers posed as up to 8,000 students using a financial aid tool and cost the government $30 million. And the schemes are only getting more sophisticated.

An IBM Security Report found that between December 2016 and February 2017, tax-themed spam emails looking to phish accounts and steal sensitive information skyrocketed by 6,000 percent. From January to April, cybercriminals start flooding inboxes with scams like fake IRS emails and with viruses disguised as legitimate tax filing software like TurboTax. Intuit didn't respond to requests for comment.

Some emails can come claiming that your tax refund has been processed -- and of course you're getting a fortune -- then prompt you to open an attached document loaded with malware. Once your financial information is stolen, it usually ends up on the black market online, selling for cheap.

taxes.jpg

Financial information on sale on the dark web can go for as low as $40.

IBM Security Report

On the dark web, a thief could buy a stolen Social Security number, W-2 and W-9 forms, driver's license number, name, address and payment card information for less than the cost of a mouse from Apple. In black market slang, these packages are called "fullz," because it's the full information a thief needs to file taxes on your behalf and reap the reward of your tax refund.

The price can drop to as low as $15 a record if you decide to buy in bulk, from 60 to 100 datasets, according to IBM's report. Lessons on how to pull off these schemes are also available for just $3.

The IRS has been warning companies, schools, hospitals and restaurants about a new scam, in which thieves use spoofed emails to target human resources departments, pretending to be a higher-up asking for all employees' W-2 wage forms. If the trick works, hundreds of financial documents could be stolen without the victims personally falling for it. The money typically ends up being deposited in a dummy bank account or a check mailed to a phony address.

"This is one of the most dangerous email phishing scams we've seen in a long time," IRS Commissioner John Koskinen said in a statement.

tax2.jpg

An email pretending to be from the IRS, meant to steal your financial information.

IBM Security Report

Tax refund fraud has become a growing issue thanks to massive profits, ease of gathering information, and the slim chances of being caught, Talcove said. He estimated that about 70 people were caught in 2016, mostly amateur hackers looking for personal profit, not the majority working behind international criminal organizations.

"If you're getting ... $3,000 a check, tax-free, and you're making $1 million a year, it's a piece of cake," Talcove said. "It is one of the best frauds ever."

LexisNexis Risk Solutions works with government agencies in 15 states, including Alabama and Missouri, along with Washington, DC. Every tax season, the company receives about 25 million to 30 million tax refund requests. It sifts them all through its algorithms, separating the returns as legitimate, suspicious or fraudulent.

It then returns them in those three categories to the states' agencies, where auditors determine who to send tax refunds to. In Alabama, the program has prevented the state from paying out $15 million in fake tax refunds, Department of Revenue Commissioner Julie Magee said.

Alabama has turned to high-tech solutions to take on tax fraudsters. On Tuesday, the state launched an app in partnership with MorphoTrust USA, the company behind 80 percent of the nation's driver's licenses.

State residents who opt in to the electronic ID program register by scanning their driver's license and taking a selfie. The app then takes the barcode from the back of the driver's license, along with the picture, to compare with your photo in Alabama's driver's license database, and uses facial recognition to match all three.

While hackers may be able to sell your driver's license information and tax documents, they can't steal your selfie in the moment, said Mark DiFraia, MorphoTrust USA's senior director for Solution Strategies. The company focused on "liveness detection" with the selfies, asking people to provide movement to make sure someone isn't just holding up a photo.

When a tax return is filed for an Alabama resident enrolled in the program, the Department of Revenue will send a notification through the app asking them to confirm the filing with another selfie.

"People are used to taking selfies, and it's something they're far more comfortable with doing," DiFraia said.

Magee said Alabama's efforts to curb tax refund fraud have prevented some jarring gaffes.

"It's been very effective, the [return on investment] is amazing," she said.

Once, Talcove had to call an agency and let it know that it had sent a tax refund to a long-deceased Elvis Presley. His unit has also seen Mickey Mouses and Betty Davises slip by.

"The problem is, the rewards for the criminals are so high that they're going to continue to evolve," Talcove said.

First published April 11, 5 a.m. PT.
Correction, 6:41 a.m. PT: Haywood Talcove's title has been corrected.
Update, 1:25 p.m. PT: Added Alabama's rollout of eID.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Special Reports: CNET's in-depth features in one place.