FBI probes for source of fraudulent TurboTax filing spike

The FBI is looking into the spike in fraudulent tax returns filed using Intuit's TurboTax tax preparation software.

The Federal Bureau of Investigation (FBI) is looking into the cause of a spike in fraudulent tax returns filed using Intuit's TurboTax tax preparation software, according to a report by the Wall Street Journal.

Citing an unnamed source, the newspaper yesterday (subscription required) said that the FBI had started an investigation to determine whether the fake returns were generated from information acquired through a data breach, perhaps from Intuit, or whether the returns were created using information obtained elsewhere.

Last week, Intuit suspended transmission of state tax returns for about 24 hours after numerous state collection agencies reported higher-than-usual numbers of phony filings.

At the time, Intuit said it believed the fraud did not stem from a security breach of its network, and that the information used by criminals was obtained elsewhere. The company did not reply to questions today.

The FBI's probe is meant to determine whether that's true.

TurboTax users have reported fraudulent federal as well as state returns, but not surprisingly have no idea how the fraudsters obtained the information necessary to mimic them.

"This year someone has already filed taxes on my wife's SSN [Social Security number] so I can't e-file," wrote someone identified as "cssmith17" on Intuit's support discussion forum.

"IRS [Internal Revenue Service] rejected my 2014 filing due to same reason, only mine is because they are saying my son (dependent) has already filed," reported "designvegas" on Sunday. "He is disabled. Please be aware of fraud on federal taxes as well."

The Utah State Tax Commission, like up to 18 other states' collection agencies, has seen a significant increase in fraudulent tax returns so far this year, with some uncovered only when taxpayers reported that a return had already been filed in their name.

Utah's fraudulent return rate is "a lot higher" this year than in the past, said a commission spokesman today, declining to share numbers. "We know that criminals are getting the information somehow, whether from the software vendor or the Internet," the spokesman said, but he wasn't able to specify the source. He said that the commission's network had not been breached.

Tax fraud is a huge problem: The IRS estimated that it paid out $5.2 billion in identity-theft-related refunds last year, but also claimed it had stymied attempts to grab another $24.2 billion.

"I'm glad it's finally coming to the forefront," said Avivah Litan of Gartner, pointing to the IRS's admission but betting that the number is likely much higher than the agency's estimate. "They're taking it seriously [because] the amount of money stolen from consumers through fraudulent returns dwarfs that from credit card fraud."

Some taxpayers spend years trying to get what's owed them after a fraudulent return has been filed, said Litan, Gartner's resident fraud expert. "And some people need that money immediately," she added.

Well-organized criminal groups mine a wide variety of sources to assemble identity-theft profiles, then sell those collections to others who generate fake tax returns. "The kind of data needed to fake a return is the kind of data stolen from Anthem," Litan said, referring to the recent breach acknowledged by one of the U.S.'s largest health insurers.

Anthem, which has 37.5 million subscribers to its health plans, is better known by the names of its affiliates, such as Blue Cross Blue Shield and Amerigroup.

"The bad guys go anywhere they can to get this data," said Litan. Prime sources include credit bureaus -- a subsidiary of credit-monitoring company Experian was hacked last year, with 200 million personal records stolen -- interceptions of mobile app log-ons, and classic phishing attacks, where consumers are duped into giving up usernames and passwords after receiving clever emails.

In fact, Intuit has posted six phishing alerts on its security page in the last three days, almost as many as for the year as a whole through Feb. 6.

Fraudsters who purchase identity portfolios, said Litan, often automate the return-generation process, spewing out huge numbers of fakes that simply overwhelm unprepared tax collection agencies. South Carolina, for example, has reportedly isolated 96,000 returns filed through TurboTax. Last Friday, the South Carolina Department of Revenue said it was reviewing a "significant number" of 2014 returns, asserted that its network had not been hacked, and blamed "issues related to third-party commercial tax preparation software."

But in 2012, the same department announced that 3.9 million tax returns had been exposed after a breach.

Fraud detection systems, which the IRS and states use to quarantine potentially-fake returns, aren't sufficient to stamp out the problem, said Litan. "They use big data analytics from companies such as SAP and Palantir," she said. Intuit has brought in the latter to analyze fraud activity. "But they're all post-mortem, in that they're looking after the fact."

Those detection systems are used to create block lists to stop future fraud, Litan added.

"Tax agencies need a layered approach," she said. "They need more ID proofing, they need to get away from static information, which has all been compromised, and toward behavioral and contextual information."

Monitoring the geographic location of the taxpayer's log-in would be an example of dynamic ID proofing, Litan said, if tax collection agencies compared this year's locale to that of previous e-filed returns.

"But the criminals are getting better and better," she warned. "They're putting as much as they can together on as many people as they can."

Join the CSO newsletter!

Error: Please check your email address.

Tags intrusionsecurityFederal Bureau of InvestigationIntuitwall street journalTurboTaxfbiCybercrime & Hacking

More about FBIFederal Bureau of InvestigationGartnerInternal Revenue ServiceIntuitIRSWall Street

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place