Over the past five years, the IRS has been experiencing issues around identity theft. Evidence of stolen identity tax refund fraud, or simply tax refund fraud (TRF), began to emerge as early as 2004 when individuals began submitting fictional tax returns from prison. According to the Treasury Inspector General for Tax Administration (TIGTA), in 2004, prisoners submitted 18,000 returns, which cost U.S. taxpayers $68 million. In 2010, they submitted 91,000 returns, with a loss of $757 million. Over that time, the prisoners also increased the average amount of money they collected, jumping from $3,777 in 2004 to a staggering $8,318 in 2010. Their tax fraud scheme exposed a flaw within the tax filing system.

Organized criminal enterprises understand flaws in the tax filing and refund system that allowed them to exploit procedural weaknesses and reap large returns for their efforts. TRF has evolved into a sophisticated criminal enterprise process with organized fraud rings filing thousands of fraudulent tax returns annually.

Factors Leading to the Growth of Tax Refund Fraud

The advancement of technology has had implications across many facets of TRF. The increase in personal computing power of taxpayers, the evolution of the Internet since the early 1990s, the ability to electronically file tax forms and subsequent growth of third-party tax filing services and the ability to receive tax refunds via direct deposit (including prepaid debit cards) have all been major contributing factors to the growth of TRF. Additionally, the conversion of personally identifiable information (PII) to digital records has created an opportunity for cybercriminals to steal PII in large quantities, as evidenced by recent health care provider and government agency data breaches.

The IRS has offered and allowed direct deposit of tax refunds since the 1980s; however, it never built systems to confirm that deposits were being made to an account of the same name as the tax filer. In 2008, TIGTA reported that “the IRS has not developed sufficient processes to ensure that more than 61 million filing season 2008 tax refunds were deposited into an account of the name of the filer.” In fact, TIGTA found that the IRS was not in compliance with direct deposit regulations. The IRS claimed that it was the responsibility of the taxpayer to ensure compliance — which obviously played into the fraudsters’ hands.

The problem of multiple direct deposits to one account was evident in a 2012 report in which an analysis of 2010 data indicated that 4,157 direct deposit refunds totaling more than $6.7 million went to just 10 accounts.

A corresponding July 2012 TIGTA report recommended that the IRS limit the number of direct deposits to one account. The IRS agreed with that suggestion and instituted a limit of three direct deposits to one account for the 2015 filing season.

A New Trend Takes Hold

Around 2010, a new trend emerged centering around true identity theft. Based on lessons learned from the prisoner tax filing scam, organized criminal groups (OCGs) focusing on TRF began to emerge. OCGs from street gangs to international crime groups learned that they could make a lot money with little risk involved. The OCG would obtain true identity information about a taxpayer, which is otherwise known as “FULLZ” in Dark Web marketplaces. The OCG would then submit a tax return in the victim’s name with fictitious employment and wage documents to support it.

Since two returns cannot be filed for the same person in one year, once the victim would submit a true tax return it would be rejected, alerting them to the identity theft. One of the issues at hand is that the IRS does not reconcile wage documents from individual returns to those supplied from employers until six to nine months into the year. According to TIGTA, the IRS may have paid $5.2 billion in potentially fraudulent tax refunds on 1.5 million tax returns in 2010.

So Where Does One Get FULLZ Information?

FULLZ information is readily available from many places. These include data breaches, retail stores, health care records and more. Once cybercriminals get access to this data, they will then put the information into a website marketplace that allows fraudsters to access any of the data that is available for a price. Many of these websites are in what is known as the Dark Net or Dark Market. The Dark Net listings provide fraudsters with all the information they would need to execute TRF.

If you are a novice or would-be fraudster, there are websites that will provide a how-to tutorial for committing TRF. The pictures below are examples of a few websites that teach people each step of TRF, from getting a person’s PII and opening a bank account in that individual’s name to actually submitting a fraudulent tax return and receiving an illicit refund.

Another important thing to note is that rules, regulations and silos within companies hinder the organizations’ ability to effectively communicate, share information and limit the losses from TRF. However, the bad guys are not hindered by any such rules and regulations. They are free to communicate among themselves about successes, failures and other conditions that will help refine their processes to be more successful. This is usually done in Dark Net chat forums. In these forums, criminals are free to discuss what was successful and what was not.

Below are some examples of posts that were placed on these forums. References to specific companies have been redacted.

Technology has made it increasing easy for fraudsters to commit their crimes anonymously. The Internet and phone channels provide areas that can be used to grant anonymity. On the Internet there are many products that provide virtual private network (VPN) services to hide the true identity and IP address of the bad actor; two of the best known are Tor and I2P.

Data Breaches Fuel the FULLZ Supply

All data breaches are not created equally. Some of the large retail breaches over the last 18 months, while significant, do not pose as much of an identity theft risk as the more recent health insurer and government data breaches. Some of the high-profile retail breaches involved payment card compromises, which would allow a fraudster to create and use counterfeit cards. Typically, card issuers will bear losses associated with counterfeit card use, sparing consumers any financial burden. However, data breaches that involve complete PII records of consumers present a high risk of identity theft and TRF.

Until recently, the compromise of full PII data often came from malicious insiders with access to consumers’ information. Insiders at banks, medical offices, schools and other organizations that possess PII help provide access for criminal enterprises. Large-scale data breaches at health insurers and government agencies have provided a tremendous supply of consumer PII to cybercriminals looking to execute TRF.

So far in 2015, more than 100 million PII records have been compromised through health care and government data breaches alone. For example, the IRS announced that the breach of its Get Transcript system may have included the PII of 334,000 taxpayers. Unlike payment card compromises, these breaches may have profound negative effects to individuals for years to come.

IRS Attempts to Control the Issue

In response to TIGTA’s direct deposit concerns, the IRS introduced limits on Automated Clearing House (ACH) deposits for the 2015 tax season. It implemented new procedures about how money would be sent to accounts by ACH and by check. For instance, a new direct deposit refund request limits the number of refunds that can be deposited into one bank account to three. After three deposits into one bank account, the IRS will convert any subsequent direct deposit refund requests to a paper check and mail the check to the taxpayer’s address. Also, the IRS is limiting the number of bank accounts among which a taxpayer can split one refund to no more than three.

These changes were implemented in an effort to curb TRF. However, the reforms did not achieve the intended result because fraudsters adapted their tactics to exploit systematic weaknesses. The issues that arose for the 2015 tax season are twofold:

1. Workarounds With Tax Preparation Services

The master accounts associated with tax preparation services are a weakness in the system to which fraudsters navigated once the IRS instituted the direct deposit limitations. When an individual files a tax return with a refund through some of the popular tax preparation services, the refunds are often routed from the IRS to the tax preparation company, which then sends it to the individual’s bank and account of record.

Through this method of filing, fraudsters were able to bypass the direct deposit limits. Refunds processed through master accounts do not contain robust event descriptions. The lack of event descriptions means the banks can’t detect and stop these refunds since they have no information from which to validate and match information to the bank account.

2. Financial Institutions Cannot Help Monitor for Fraud

The direct deposit limits took financial institutions out of the game with regard to being a detection point. An ACH deposit coming from the IRS to a bank contains a robust event description including the name, address and Social Security number of the beneficiary. Financial institutions were in a position to detect suspicious activity of multiple deposits going to one account for the benefit of individuals not named on the account.

As with many regulations and controls designed to stop fraud, there are unintended consequences. As a result of criminals’ ability to adapt to the ACH limitations, they found another way. Their new methods resulted in a higher success rate and increased losses to U.S. taxpayers.

What Does This Mean for the Future?

TRF is expected to increase dramatically for this tax season. According to the IRS, fraud losses will reach a staggering $21 billion by 2016, while just two years ago, losses were $6.5 billion.

Recent large-scale PII data breaches will contribute to the growth of TRF. Although the IRS is making changes to try to limit fraud, there are still structural weaknesses in the process that will allow this activity to continue.

Are There Solutions to the Tax Refund Fraud Issue?

No one solution will stop tax refund fraud, but it can be slowed down and its losses limited. The focus should be on better fraud detection capabilities. The detection process should be built like an onion with multiple layers and parties involved. Proposed cuts of the IRS’ budget by more than $800 million for fiscal year 2016 may make it increasingly difficult for the agency to create a better detection strategy, however.

Limiting the number of direct deposits to one account is a good start. However, financial institutions need to be brought into the detection loop. The refund process via master accounts must be enhanced to the point where the name, address and Social Security number of the beneficiary are included in the event description of the ACH transaction between the master account and the receiving bank. Once that is done, banks can build fraud strategies to identify multiple deposits to one account.

The IRS, financial institutions, tax preparation service companies and card companies should work together to devise and implement detection controls that may allow each party to potentially identify suspicious activity, raise red flags and halt the refund process to allow for identity verification. With a detection process that includes all these parties, there will be three different industries that can review refund transactions at different points in the process. This could significantly decrease the losses that are seen with tax refund fraud.

More from Fraud Protection

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today