The Federal Bureau of Investigation (FBI) is looking into the cause of a spike in fraudulent tax returns filed using Intuit's TurboTax tax preparation software, according to a report by the Wall Street Journal.
Citing an unnamed source, the newspaper yesterday (subscription required) said that the FBI had started an investigation to determine whether the fake returns were generated from information acquired through a data breach, perhaps from Intuit, or whether the returns were created using information obtained elsewhere.
Last week, Intuit suspended transmission of state tax returns for about 24 hours after numerous state collection agencies reported higher-than-usual numbers of phony filings.
At the time, Intuit said it believed the fraud did not stem from a security breach of its network, and that the information used by criminals was obtained elsewhere. The company did not reply to questions today.
The FBI's probe is meant to determine whether that's true.
TurboTax users have reported fraudulent federal as well as state returns, but not surprisingly have no idea how the fraudsters obtained the information necessary to mimic them.
"This year someone has already filed taxes on my wife's SSN [Social Security number] so I can't e-file," wrote someone identified as "cssmith17" on Intuit's support discussion forum.
"IRS [Internal Revenue Service] rejected my 2014 filing due to same reason, only mine is because they are saying my son (dependent) has already filed," reported "designvegas" on Sunday. "He is disabled. Please be aware of fraud on federal taxes as well."
The Utah State Tax Commission, like up to 18 other states' collection agencies, has seen a significant increase in fraudulent tax returns so far this year, with some uncovered only when taxpayers reported that a return had already been filed in their name.
Utah's fraudulent return rate is "a lot higher" this year than in the past, said a commission spokesman today, declining to share numbers. "We know that criminals are getting the information somehow, whether from the software vendor or the Internet," the spokesman said, but he wasn't able to specify the source. He said that the commission's network had not been breached.
Tax fraud is a huge problem: The IRS estimated that it paid out $5.2 billion in identity-theft-related refunds last year, but also claimed it had stymied attempts to grab another $24.2 billion.
"I'm glad it's finally coming to the forefront," said Avivah Litan of Gartner, pointing to the IRS's admission but betting that the number is likely much higher than the agency's estimate. "They're taking it seriously [because] the amount of money stolen from consumers through fraudulent returns dwarfs that from credit card fraud."
Some taxpayers spend years trying to get what's owed them after a fraudulent return has been filed, said Litan, Gartner's resident fraud expert. "And some people need that money immediately," she added.
Well-organized criminal groups mine a wide variety of sources to assemble identity-theft profiles, then sell those collections to others who generate fake tax returns. "The kind of data needed to fake a return is the kind of data stolen from Anthem," Litan said, referring to the recent breach acknowledged by one of the U.S.'s largest health insurers.
Anthem, which has 37.5 million subscribers to its health plans, is better known by the names of its affiliates, such as Blue Cross Blue Shield and Amerigroup.
"The bad guys go anywhere they can to get this data," said Litan. Prime sources include credit bureaus -- a subsidiary of credit-monitoring company Experian was hacked last year, with 200 million personal records stolen -- interceptions of mobile app log-ons, and classic phishing attacks, where consumers are duped into giving up usernames and passwords after receiving clever emails.
In fact, Intuit has posted six phishing alerts on its security page in the last three days, almost as many as for the year as a whole through Feb. 6.
Fraudsters who purchase identity portfolios, said Litan, often automate the return-generation process, spewing out huge numbers of fakes that simply overwhelm unprepared tax collection agencies. South Carolina, for example, has reportedly isolated 96,000 returns filed through TurboTax. Last Friday, the South Carolina Department of Revenue said it was reviewing a "significant number" of 2014 returns, asserted that its network had not been hacked, and blamed "issues related to third-party commercial tax preparation software."
But in 2012, the same department announced that 3.9 million tax returns had been exposed after a breach.
Fraud detection systems, which the IRS and states use to quarantine potentially-fake returns, aren't sufficient to stamp out the problem, said Litan. "They use big data analytics from companies such as SAP and Palantir," she said. Intuit has brought in the latter to analyze fraud activity. "But they're all post-mortem, in that they're looking after the fact."
Those detection systems are used to create block lists to stop future fraud, Litan added.
"Tax agencies need a layered approach," she said. "They need more ID proofing, they need to get away from static information, which has all been compromised, and toward behavioral and contextual information."
Monitoring the geographic location of the taxpayer's log-in would be an example of dynamic ID proofing, Litan said, if tax collection agencies compared this year's locale to that of previous e-filed returns.
"But the criminals are getting better and better," she warned. "They're putting as much as they can together on as many people as they can."