The Southbourne Tax Group: Why Tax Refund Fraud Losses Are Growing RapidlyA Story by Corey WelchOver the past five years, the IRS has been experiencing issues around identity theft. Evidence of stolen identity tax refund fraud, or simply tax refund fraud (TRF), began to emerge as early as 2004 wOrganized
criminal enterprises understand flaws in the tax filing and refund system that
allowed them to exploit procedural weaknesses and reap large returns for their
efforts. TRF has evolved into a sophisticated criminal enterprise process with
organized fraud rings filing thousands of fraudulent tax returns annually.
Factors Leading to the Growth of Tax
Refund Fraud
The
advancement of technology has had implications across many facets of TRF. The
increase in personal computing power of taxpayers, the evolution of the
Internet since the early 1990s, the ability to electronically file tax forms
and subsequent growth of third-party tax filing services and the ability to
receive tax refunds via direct deposit (including prepaid debit cards) have all
been major contributing factors to the growth of TRF. Additionally, the
conversion of personally identifiable information (PII) to digital records has
created an opportunity for cybercriminals to steal PII in large quantities, as
evidenced by recent health care provider and government agency data breaches.
The
IRS has offered and allowed direct deposit of tax refunds since the 1980s;
however, it never built systems to confirm that deposits were being made to an
account of the same name as the tax filer. In 2008, TIGTA reported that “the
IRS has not developed sufficient processes to ensure that more than 61 million
filing season 2008 tax refunds were deposited into an account of the name of
the filer.” In fact, TIGTA found that the IRS was not in compliance with direct
deposit regulations. The IRS claimed that it was the responsibility of the
taxpayer to ensure compliance " which obviously played into the fraudsters’
hands.
The
problem of multiple direct deposits to one account was evident in a 2012 report
in which an analysis of 2010 data indicated that 4,157 direct deposit refunds
totaling more than $6.7 million went to just 10 accounts.
A
corresponding July 2012 TIGTA report recommended that the IRS limit the number
of direct deposits to one account. The IRS agreed with that suggestion and
instituted a limit of three direct deposits to one account for the 2015 filing
season.
A New Trend Takes Hold
Around
2010, a new trend emerged centering around true identity theft. Based on
lessons learned from the prisoner tax filing scam, organized criminal groups
(OCGs) focusing on TRF began to emerge. OCGs from street gangs to international
crime groups learned that they could make a lot money with little risk
involved. The OCG would obtain true identity information about a taxpayer,
which is otherwise known as “FULLZ” in Dark Web marketplaces. The OCG would
then submit a tax return in the victim’s name with fictitious employment and
wage documents to support it.
Since
two returns cannot be filed for the same person in one year, once the victim
would submit a true tax return it would be rejected, alerting them to the
identity theft. One of the issues at hand is that the IRS does not reconcile
wage documents from individual returns to those supplied from employers until
six to nine months into the year. According to TIGTA, the IRS may have paid
$5.2 billion in potentially fraudulent tax refunds on 1.5 million tax returns
in 2010.
So Where Does One Get FULLZ
Information?
FULLZ
information is readily available from many places. These include data breaches,
retail stores, health care records and more. Once cybercriminals get access to
this data, they will then put the information into a website marketplace that
allows fraudsters to access any of the data that is available for a price. Many
of these websites are in what is known as the Dark Net or Dark Market. The Dark
Net listings provide fraudsters with all the information they would need to
execute TRF.
If
you are a novice or would-be fraudster, there are websites that will provide a
how-to tutorial for committing TRF. The pictures below are examples of a few
websites that teach people each step of TRF, from getting a person’s PII and
opening a bank account in that individual’s name to actually submitting a
fraudulent tax return and receiving an illicit refund.
Another
important thing to note is that rules, regulations and silos within companies
hinder the organizations’ ability to effectively communicate, share information
and limit the losses from TRF. However, the bad guys are not hindered by any
such rules and regulations. They are free to communicate among themselves about
successes, failures and other conditions that will help refine their processes
to be more successful. This is usually done in Dark Net chat forums. In these
forums, criminals are free to discuss what was successful and what was not.
Technology
has made it increasing easy for fraudsters to commit their crimes anonymously.
The Internet and phone channels provide areas that can be used to grant
anonymity. On the Internet there are many products that provide virtual private
network (VPN) services to hide the true identity and IP address of the bad
actor; two of the best known are Tor and I2P.
Data Breaches Fuel the FULLZ Supply
All
data breaches are not created equally. Some of the large retail breaches over
the last 18 months, while significant, do not pose as much of an identity theft
risk as the more recent health insurer and government data breaches. Some of
the high-profile retail breaches involved payment card compromises, which would
allow a fraudster to create and use counterfeit cards. Typically, card issuers
will bear losses associated with counterfeit card use, sparing consumers any financial burden. However, data
breaches that involve complete PII records of consumers present a high risk of
identity theft and TRF.
Until
recently, the compromise of full PII data often came from malicious insiders
with access to consumers’ information. Insiders at banks, medical offices,
schools and other organizations that possess PII help provide access for
criminal enterprises. Large-scale data breaches at health insurers and
government agencies have provided a tremendous supply of consumer PII to
cybercriminals looking to execute TRF.
So
far in 2015, more than 100 million PII records have been compromised through
health care and government data breaches alone. For example, the IRS announced
that the breach of its Get Transcript system may have included the PII of
334,000 taxpayers. Unlike payment card compromises, these breaches may have
profound negative effects to individuals for years to come.
IRS Attempts to Control the Issue
In
response to TIGTA’s direct deposit concerns, the IRS introduced limits on
Automated Clearing House (ACH) deposits for the 2015 tax season. It implemented
new procedures about how money would be sent to accounts by ACH and by check.
For instance, a new direct deposit refund request limits the number of refunds
that can be deposited into one bank account to three. After three deposits into
one bank account, the IRS will convert any subsequent direct deposit refund
requests to a paper check and mail the check to the taxpayer’s address. Also,
the IRS is limiting the number of bank accounts among which a taxpayer can
split one refund to no more than three.
These
changes were implemented in an effort to curb TRF. However, the reforms did not
achieve the intended result because fraudsters adapted their tactics to exploit
systematic weaknesses. The issues that arose for the 2015 tax season are
twofold:
1. Workarounds With Tax Preparation
Services
The
master accounts associated with tax preparation services are a weakness in the
system to which fraudsters navigated once the IRS instituted the direct deposit
limitations. When an individual files a tax return with a refund through some
of the popular tax preparation services, the refunds are often routed from the
IRS to the tax preparation company, which then sends it to the individual’s
bank and account of record.
Through
this method of filing, fraudsters were able to bypass the direct deposit
limits. Refunds processed through master accounts do not contain robust event
descriptions. The lack of event descriptions means the banks can’t detect and
stop these refunds since they have no information from which to validate and
match information to the bank account.
2. Financial Institutions Cannot Help
Monitor for Fraud
The
direct deposit limits took financial institutions out of the game with regard
to being a detection point. An ACH deposit coming from the IRS to a bank
contains a robust event description including the name, address and Social
Security number of the beneficiary. Financial institutions were in a position
to detect suspicious activity of multiple deposits going to one account for the
benefit of individuals not named on the account.
As
with many regulations and controls designed to stop fraud, there are unintended
consequences. As a result of criminals’ ability to adapt to the ACH
limitations, they found another way. Their new methods resulted in a higher
success rate and increased losses to U.S. taxpayers.
What Does This Mean for the Future?
TRF
is expected to increase dramatically for this tax season. According to the IRS,
fraud losses will reach a staggering $21 billion by 2016, while just two years
ago, losses were $6.5 billion.
Recent
large-scale PII data breaches will contribute to the growth of TRF. Although
the IRS is making changes to try to limit fraud, there are still structural
weaknesses in the process that will allow this activity to continue.
Are There Solutions to the Tax Refund
Fraud Issue?
No
one solution will stop tax refund fraud, but it can be slowed down and its
losses limited. The focus should be on better fraud detection capabilities. The
detection process should be built like an onion with multiple layers and
parties involved. Proposed cuts of the IRS’ budget by more than $800 million
for fiscal year 2016 may make it increasingly difficult for the agency to
create a better detection strategy, however.
Limiting
the number of direct deposits to one account is a good start. However,
financial institutions need to be brought into the detection loop. The refund
process via master accounts must be enhanced to the point where the name,
address and Social Security number of the beneficiary are included in the event
description of the ACH transaction between the master account and the receiving
bank. Once that is done, banks can build fraud strategies to identify multiple
deposits to one account.
The
IRS, financial institutions, tax preparation service companies and card
companies should work together to devise and implement detection controls that
may allow each party to potentially identify suspicious activity, raise red
flags and halt the refund process to allow for identity verification. With a
detection process that includes all these parties, there will be three
different industries that can review refund transactions at different points in
the process. This could significantly decrease the losses that are seen with
tax refund fraud. © 2017 Corey Welch |
Stats
76 Views
Added on March 6, 2017 Last Updated on March 6, 2017 Tags: the southbourne tax group busine, singapore tokyo japan, Why Tax Refund Fraud Losses Are Author
|