The Most Comprehensive Data Protection Solution
Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.
First and Only Solution to Converge:
- Data Loss Prevention
- Endpoint Detection and Response
- User and Entity Behavior Analytics
My wife and I each received a Happy New Year note from the U.S. Internal Revenue Service (IRS) a few weeks back. But rather than wishing us health and happiness in the New Year, it informed us that we may have been the victims of identity theft. Someone, it seems, had posed as each of us and obtained a PIN that can be used to file tax returns electronically. None of our personal data had been accessed, the IRS assured us in the letters, but we should be on guard – for what, the letter didn’t say.
We’re not alone. According to preliminary data released by the IRS, 2016 is shaping up to be a banner year for tax fraud and tax-related identity theft. To use the words of Presidential candidate Donald Trump, tax fraud this year is going to be HUGE! (Or YUUGE!, as Democratic contender Bernie Sanders might say.)
Data released by the IRS last week suggests that identity theft scams related to tax filing are shifting into overdrive. The U.S. tax agency has seen a 400% increase in reported phishing and malware schemes aimed at obtaining personal information so far this year, it said in a statement.
That includes 1,026 incidents in January alone, more than four times the number reported in January 2015. The trend continued in February, as well, with nearly double the reported number of incidents in the first half of the month compared to 2015. Already, reported incidents of fraud in 2016 (1,389) top the total for all of 2014 (1,361). In all of 2015, the IRS received 2,748 complaints – a number that looks as if it will surely be surpassed before the April 15 tax-filing deadline.
Why? The many information security failings of federal agencies are well known. It was just last year, after all, that the IRS had to suspend an online service known as “Get Transcript” after fraudsters used it to file false tax returns for hundreds of thousands of U.S. taxpayers (including this reporter).
According to statements by the IRS, the attackers behind the most recent tax fraud campaign were able to obtain taxpayer-specific data acquired from non-IRS sources to gain unauthorized access to information on approximately 330,000 tax accounts. The attackers used information like the taxpayers’ Social Security information, dates of birth and street addresses to defeat a “multi-step” authentication process (basically: challenge/response questions) and get access to taxpayer filing data. They used that information to file fraudulent returns seeking refunds. The filing data may also be used in subsequent identity theft scams unrelated to the IRS, security experts have warned. Hundreds of thousands of other attempts to fraudulently access taxpayer accounts were also noted in those attacks.
In the wake of those attacks, the IRS and state tax authorities announced some fixes: new fraud detection services intended to weed out criminals from taxpayers. Additional new measures include checking of IP addresses for submitted returns to identify repeats (a potential sign of fraud), verifying the device identification of the system used to file the return, analyzing the time taken to complete the return to detect automated filings and capturing metadata from the filing transaction to identify possible indicators of fraud.
Are those working? It’s hard to tell. What is clear is that it is still a trivial matter to obtain a taxpayer’s unique electronic filing PIN. All you need to provide is a social security number, birth date and mailing address for the taxpayer. The first piece of information is widely available for sale in criminal forums – or from public filings. The second and third pieces of information are even easier to obtain from public records, social media networks and so on.
In fact, I looked up my PIN a few weeks ago, which means that the IRS notification about fraudulent access to my PIN could have been triggered by my own, legitimate inquiry – or not. Alas, the IRS wasn’t able to provide me any details about the request – such as what IP address or region of the world it came from, what kind of browser and computer were used to make the request, etc. Companies like Google, Facebook and Twitter commonly provide that information to help resolve potentially fraudulent incidents of account access these days. Maybe the IRS should make a call to Menlo Park?
The sad truth is that the IRS – like many government agencies – suffers from a severe shortage of technical talent, especially in the area of information security. A frequent target of budget cuts, the IRS struggles to simply do its job, while services like telephone support, that might help consumers faced with an incident of identity theft, are allowed to deteriorate.
The actions of cyber criminals and fraudsters are largely outside of the control of the IRS and increases in the number of fraud attempts aren’t the same thing as an increase in fraud. But it is in the agency’s control to improve the systems and procedures it uses to detect and respond to fraud and attempted fraud: raising the bar for would-be criminals. In the next few months we’ll learn whether the IRS has learned its lessons, or not.