Identity theft tax refund fraud

The U.S. Internal Revenue Service calls the scam its No. 1 fraud. Identity thieves are using stolen personally identifiable information to file victims’ tax returns and then receive their refunds. Here’s how they do it and ways to combat and prevent it.

Katie Winston, who held an MBA degree from Harvard University, was a very successful broker for a large firm on Wall Street. With tax time approaching, she gave her records and receipts to her longtime tax specialist to ensure she would comply with the income tax code when she filed her return.

Normally, she would receive a refund. But this time the Internal Revenue Service (IRS) sent her a notice stating that “More than one tax return for you was filed” and informing her that it had already issued a refund check in her name. After she spoke with her tax professional and an IRS agent, she realized that she was the victim of an identity theft tax refund scam.

ANATOMY OF SCAM

Kate’s tale of woe is fictitious, but it’s indicative of an alarming problem. J. Russell George, U.S. treasury inspector general for tax administration, said that tax refund identity theft is a “growing epidemic,” according to a Nov. 7, 2013, Reuters article. George said that more Americans’ identities were stolen in tax refund crimes in the first six months of 2013 than in all of 2012. (See “Tax refund ID theft is growing ‘epidemic’: U.S. IRS watchdog,” by Patrick Temple-West.)

The IRS ranked identity theft tax refund fraud as its No. 1 scam last year. (See “IRS Releases the Dirty Dozen Tax Scams for 2013.”)

According to the IRS document, “Taxpayer Guide to Identity Theft,” an identity theft tax refund scam “occurs when someone uses your personal [identifying] information [PII] such as your name, Social Security number [SSN] or other identifying information, without your permission, to commit fraud or other crimes.” The scam usually occurs when “an identity thief uses a legitimate taxpayer’s identity to file a fraudulent tax return and claim a refund. Generally, the identity thief will use a stolen SSN to file a forged tax return and attempt to get a fraudulent refund early in the filing season.” By filing the fraudulent tax return early, of course, the identity thief usually receives the refund before the victim sends his or her tax return, and the IRS processes it.

Thanks to paperless e-filing, this scam is easier to pull off than ever before. Thieves can simply make up phony wages or other income, submit the information electronically and receive the fraudulent refund via mail or direct deposit within a month. Of course, the IRS keeps records of earned wages and other types of taxable income reported by taxpayers’ employers and other organizations. However, the IRS doesn’t match these records to information submitted electronically by identity thieves until several months after it issues refund checks. By the time the IRS tells the victim that it has received another tax form in his or her name, the thief has cashed the refund check and is long gone with the money. The identity thief wins, and the U.S. Treasury and the victimized taxpayer are the losers.

CONSEQUENCES FOR VICTIMS
 
What will happen if a fraudster uses your PII to commit this crime? Well, to begin with, you probably won’t receive your tax refund within the normal time period. (See “Identity theft and the IRS, or, Who got my refund?” by Linda Stern, Reuters, March 13, 2013.) You’ll first need to go through the process of confirming your identity with the IRS to collect your refund.

According to a Nov. 7, 2013, report by the Treasury Inspector General for Tax Administration (TIGTA), the IRS took an average of 312 days to resolve tax-related theft cases closed between August 2011 and July 2012. The report shows that the government was still losing $3.6 billion a year in potentially fraudulent tax refunds. That’s down from the $5.2 billion in potentially fraudulent refunds that the IRS issued in 2011.

In conjunction with the release of the TIGTA reports, Sen. Bill Nelson, D-Fla., renewed his “call for an increased government crackdown on identity thieves who use someone else’s name to steal their tax refunds.” Nelson re-filed his legislation, the Identity Theft and Tax Fraud Prevention Act of 2013 (S. 676) in April 2013, which would toughen criminal penalties for ID thieves who file fake refunds under someone else’s name. It would also require the IRS to get legitimate taxpayers the refunds they’re due within 90 days. That would certainly provide some relief to financially strapped victims.

“While these reports show that some progress is being made in reducing tax fraud, it’s also clear that there is still much to be done and there are still a number of improvements that need to be made to protect both taxpayers and the U.S. Treasury,” Nelson wrote in a Nov. 7, 2013, letter to Sen. Max Baucus, D-Mont., chairman of the Senate Finance Committee encouraging him to prioritize Nelson’s bill.

Don’t get your hopes up because, as we will explain later, this process will most likely take a long, long time. (As of press time, govtrack.us predicted Nelson’s bill had a zero percent chance of Congress enacting it.)

This scam’s consequences don’t end when you travel through the process of confirming your identity with the IRS and receive your refund. After all, someone has stolen your identity and your PII is good for more than just filling out a tax form. Identity thieves may also use it to obtain credit/debit cards in your name, take out loans or mortgages, get jobs or even declare bankruptcy. 

The odds are very high that an identity thief won’t pay off any debts they incur in your name, which will leave you holding the bag while the fraudster skips off into the sunset with his (your!) loot — free and clear. He can destroy your credit rating and make it difficult or impossible for you to negotiate the economic seas. You’ll spend hours and hours clearing your record and lots of cash if you need to hire an attorney to help. 

FINANCIAL IMPACT OF THE SCAM

For the tax return processing year of 2011 (per the tax year 2010 tax returns), the IRS reported 938,664 cases of identity theft tax refund fraud, with approximately $6.5 billion in fraudulent tax refunds issued. In TIGTA’s analysis of the same data, the agency estimated that approximately 1.5 million additional individual tax returns filed in 2011 met the characteristics of confirmed IRS identity theft cases, and these returns accounted for additional losses estimated to be more than $5.2 billion. The TIGTA projected that tax identity theft fraud will account for losses of approximately $21 billion over the next five years. (See the July 19, 2012, TIGTA report.)

TIGTA’s projection appears to have some validity because the IRS mailed out $4 billion in refund checks to identity thieves in 2013, which represents 1.6 million victims identified through June 1, 2013, according to the TIGTA. In 2012, the IRS issued 1.1 million refunds to people using stolen SSNs, which resulted in fraudulent tax refunds of $3.6 billion. This compares to 2011 when the IRS issued $5.2 billion in refunds to people who stole SSNs. In addition, according to a Sept. 20, 2013, TIGTA report, the IRS issued 141,000 refunds totaling $385 million in 2012 to people using stolen taxpayer identification numbers, which foreign citizens, who earn money in the U.S., typically use. 

In its study of the 1.5 million additional tax returns noted above for the 2011 tax- processing year, the TIGTA identified five addresses that accounted for 4,864 fraudulent tax returns and $8,104,493 in tax refunds. One address was located in Lansing, Mich., where there were 2,137 fraudulent tax returns representing $3,316,051 in refunds and the others in Chicago, Ill., (765 and $903,084), Belle Glade, Fla., (741 and $1,104,897), Orlando, Fla., (703 and $1,088,691) and Tampa, Fla. (518 and $1,791,770).

In the same study for the 2011 tax processing year, the TIGIA also identified the top five cities from where a total of 239,631 potentially fraudulent tax returns were filed, accounting for $972,408,700 in fraudulent tax refunds. The cities included: Tampa, Fla., with 88,724 tax returns and $468,382,079 in fraudulent refunds; Miami, Fla., (74,496 and $280,509,449); Atlanta, Ga., (29,787 and $77,113,392); Detroit, Mich., (23,870 and $74,313,933) and Houston, Texas (22,754 and $772,089,847). (Florida cities are a big target for identity thieves because of the relatively larger population of elderly people in that state.)

In addition, the IRS sent a total of 655 tax refunds to a single address in Lithuania, and 343 refunds went to a lone address in Shanghai, according to the ITGTA report for the 2011 tax-processing year.

Also included in the TIGTA study noted above were categories for the types of individuals whose identities appear to have been stolen, including individuals who weren’t normally required to file a tax return. These categories accounted for 1,492,215 tax returns with estimated refund losses totaling $5,221,018,184.

The five categories included the deceased with 104,950 fraudulent tax returns and $415,047,568 in refunds, followed by the elderly (76,388 and $374,419,730), citizens of U.S. possessions (76,338 and $374,419,730), students, ages 16 to 20 (252,288 and $695,043,022), children under the age of 14 (2,274 and $3,960,327), and those whose income level doesn’t require tax return filing (952,612 and $3,345,064,109). It’s obvious from these stats that the elderly, students and young children are easy identity theft targets because many of them don’t meet the income requirements to file a federal tax return.

According to the 2013 TIGTA report cited above “the IRS continues to increase its efforts to identify and prevent fraudulent tax refunds from being issued as a result of identity theft.” The report mentions that during 2012, the IRS prevented the issuance of $20 billion of fraudulent refunds, including $8 billion related to identity theft, compared with $14 billion in 2011. The IRS says it stopped more than $12 billion in fraudulent refunds from going to identity thieves in 2013. Hopefully the IRS’ efforts will result in even better future results.

SOURCES OF PII FOR IDENTITY THIEVES

Identity thieves, to pull off this scam, must first steal PII from individual taxpayers using such methods as malware, phishing schemes and data breaches.

Malware 
Identity thieves have a long history of planting malware in email messages and on websites to rob victims of their financial resources. When victims click links on contaminated emails or websites, they download malware programs that are embedded in computer browsers and search for vulnerabilities in software programs. Victims lose such PII as contact lists, SSNs and financial account numbers plus a host of other personal information that victims might store on their computers. Loss of a SSN can lead to a fraudulent tax refund. Also, fraudsters commonly use embedded malware to transfer funds out of a victims’ bank accounts when they use infected computers to transact business.

Phishing schemes
When phishing schemes are successful, identity thieves trick unsuspecting taxpayers into providing the PII after clicking on a link in unsolicited email messages.

The first example to the right features the IRS seal in the banner and is formatted in that annoying font that sometimes appears in government documents. However, the IRS will never send unsolicited emails to taxpayers nor proactively calculate taxpayers’ refunds and send them notices claiming they’re entitled to tax refunds before they’ve filed their returns. [Image no longer available. —Ed.]

The IRS’ “Taxpayer Guide to Identity Theft” states that “the IRS does not initiate contact with taxpayers by email to request personal or financial information. This includes any type of electronic communication, such as text messages and social media channels.” The IRS only contacts taxpayers via snail mail.

The second example below was sent to one of the authors, Robert Holtfreter, on Oct. 27, 2013. It lacks a fake banner, but nevertheless it’s fraudulent in every detail. Notice the misspellings, use of foreign currency symbols and the “uk” in the fake web address — all additional red flags. [Image no longer available. —Ed.]

Data breaches
Authors Holtfreter and Harrington, when conducting a factor analysis of 2,278 data breaches compiled by the Privacy Rights Clearing House from 2005 through 2010, identified four internal and four external data breach causal factors that resulted in the compromise of hundreds of millions of records containing PII, many of which were tax related. (See “Analysis Shows Entities Lack Strong Data Protection Programs,” Fraud Magazine, Jan./Feb. 2012). Following are descriptions of the causal factors with related cases in which compromised tax information was used or could potentially have been used for identity theft tax refund purposes. All of the cases are included in the Privacy Rights Clearinghouse Chronology of Data Breaches.

1. Internal — improper protection or disposal of data
On June 12, 2010, “personal information from Municipal Hall was found in a public dumpster. The information was not shredded and included police reports, Social Security numbers, home addresses, telephone numbers, names, and tax records. The improper disposal of information continued after the first dumpster discovery.” Scam artists commonly use dumpster diving to obtain improperly disposed PII. In this case, if it had fallen in the wrong hands, it could easily have been used in tax refund scams.

2. Internal — theft of data by a current or former employee with absolute or high probability of fraudulent intent
Dishonest employees can use welfare beneficiary information to file for tax refunds. In one case, an “employee was caught and charged with 11 counts of identity theft and 11 counts of making false claims to the United States.” On Feb. 11, 2011, he pleaded guilty to two counts of filing false claims against the U.S. 

3. Internal — theft of data by a current or former employee with low or no probability of fraudulent intent
Sometimes burglars, for example, steal the contents of homes that include electronic devices; they may or may not be intending to use PII on devices for fraudulent tax refunds or other uses. In one case, a home was burglarized on the evening of July 25, 2010. Thieves stole a laptop with names, SSNs, tax identification numbers and other PII from the victim’s family law clients. Authorities couldn’t determine if the thief was just stealing the laptop or was more interested in using or selling the PII or both. Regardless, the theft of the laptop would provide the opportunity for a thief to process the PII for a fraudulent tax refund.

4. Internal — hacking or unauthorized intrusion of a network by a current/former employee
Crooked employees (past or present) can drain company databases of names and SSNs and use the information to file false tax returns. On May 1, 2009, a dishonest employee accessed the Electronic Data System’s database of names and SSNs of student loan borrowers. The former employee then used the information to file false tax returns in 2009.

5. Internal — loss of data
A loss of PII is common within organizations. Negligent employees can lose data tapes or laptops, for example, containing PII of other staffers and vendors. On Sept. 3, 2008, on a trip by employees from the Albany headquarters of a New York-based construction organization to its data center in New York City, employees discovered that five tapes had fallen out of a yellow mailing envelope. The tapes contained personal private or sensitive information of more than 600 employees and approximately 3,000 vendors. SSNs and tax ID numbers were compromised.

6. External — partner/third party theft or loss of data by improper exposure or disposal
Third parties, such as auditors and other vendors, also can, for example, carelessly leave their laptops, containing clients’ juicy PII, in cars or in restaurants and bars. On April 6, 2009, a bank’s auditor notified the bank that it might have been the target of a potential security breach. Two laptops belonging to the bank’s auditors were stolen from a car in a restaurant parking lot on Oct. 12 of that year. One laptop contained the names, Social Security or tax identification numbers, addresses and account numbers of clients from a November 2005 confirmation trial.

7. External — theft of data by a non-employee with absolute or high probability of fraudulent intent
Identity thieves can steal, for example, tax records from preparers that they can sell on the market. On Nov. 4, 2012, eight cabinets full of tax records were stolen from a residence. The records, which belonged to a deceased tax preparer, went back to at least five years. Apparently, the thief or thieves were looking for information that could be used to commit identity theft.

8. External — theft of data by a non-employee with low or no probability of fraudulent intent
For example, non-employees might steal the contents of cars, which could include organizations’ laptops containing employee tax records and PII. On Dec. 29, 2011, a university-issued laptop was stolen from an employee’s car. The university used the laptop to process 2010 tax records for employees, students and others who would receive 2010 W-2s. The information included names, SSNs, salary information and addresses. It appears that the main purpose of the theft was to steal the laptop, not the tax-related PII. However, an aware thief could sell the PII to other thieves who could use it for identity-theft, tax-refund purposes.
 
9. External hacking by a non-employee
On May 16, 2008, hackers gained access to organization computers containing personal income tax data and PII, including SNNs, names, and addresses. Information belonging to faculty members, students and vendors was compromised. External hacking is a common ploy of thieves to obtain PII, including tax-related information. According to the Holtfreter and Harrington study, it accounted for 21.9 percent of all the data breaches and an amazing 61.6 percent of all the records that were compromised records from 2005 through 2012.   

In the May/June issue: Part 2 of two parts describes how the Internal Revenue Service is combatting this problem and ways we can all fight this scourge.

Robert E. Holtfreter, Ph.D., CFE, CICA, is distinguished professor of accounting and research at Central Washington University and the identity theft prevention and detection analyst for the Fraud Magazine. 

Tiffany McLeod, a former student in Robert Holtfreter’s Fraud Examination course, received a 2011 Bachelor’s in Accounting and a 2013 Bachelor’s in English at Central Washington University.

Adrian Harrington, a former student in Robert Holtfreter’s Fraud Examination course, received a Bachelor’s in Economics from Central Washington University in 2011.

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.