TAX FRAUD
“\[By the\] middle of February, it be- came clear that there was a pattern of activity...that was clearly not consis- tent with people going \[to\] actually apply for student loans,” Koskinen said.
The IRS discovered that hackers had posed as 8,000 college students apply- ing for financial aid so they could ac- cess IRS data. “They would start the financial aid process like a normal stu- dent and then use the IRS tool to au- tomatically populate tax information for the student and parents,” Koskinen said. Using that stolen information, identity thieves filed fraudulent tax returns and stole $30 million from the IRS, he added.
Undermining cybercriminals
Woloski said the IRS and Education De- partment are likely to require “stronger authentication for online sites, \[includ- ing\] more complex passwords, SMS- based multifactor authentication \[and\] additional verification of personal de- tails at sign-up.”
He added that officials might also use machine learning to detect suspi- cious behavior. “Using machine learn- ing to defeat fraud has been a common approach for years in the e-commerce field, used by sites such as Amazon,” Woloski said. The IRS is likely already using the technology to identify people who are cheating on their taxes, so it would be a natural extension to use it for improving security, he added.
And although Koskinen admitted in his comments to the Senate that “iden- tity theft is still a major threat to tax administration, and we need to keep up the fight,” he said that in 2016, IRS sys-
“Identity theft is still
a major threat to tax ” administration, and we need to keep up the fight.
IRS COMMISSIONER JOHN KOSKINEN
ued data, including making better use of security and encryption software for sensitive data, encouraging the use of strong passwords and looking out for suspicious email messages.
“The weak link here is clearly the con- tinued use of static passwords, which are easily hacked by a motivated cyber- criminal,” he said. “This one is particu- larly painful as two-factor authentica- tion technology has been around for a long time and widely available.” •
tems stopped more than $6.5 billion in fraudulent claims on 969,000 returns filed by identity thieves.
Kremez, a former cybercrime investi- gative analyst in the New York County District Attorney’s Office, agreed that the IRS “is implementing better tracking online and getting more staff involved in applications with inconsistencies.”
However, Vergara said government agencies that trade in tax information could do more to protect the highly val-
A GAME OF SPEED AND NUMBERS
The IRS might be outgunned in the fight against tax fraud. In January, officials released a list of a “dirty dozen” tax scams that trick taxpayers into giving criminals access to their tax records and open them up to identity theft. Becoming increasingly popular are phone fraud and phishing attacks. For example, crooks often impersonate IRS agents in an effort to collect taxpayer information, often threatening their victims with police arrest, deportation or the revocation
of their driver’s licenses if they do not provide detailed information.
Another increasingly prevalent concern is the so-called W-2 scam. In this email- based scam, a fraudulent party uses a corporate executive’s name and often other readily available information to request employees’ W-2 forms from a company’s payroll or human resources department in an effort to acquire that valuable information en masse.
“These attacks are extremely prevalent
during tax season and the period in which students apply for financial aid,” said John Bambenek, threat intelligence manager at Fidelis Cybersecurity. “It’s big money, so criminals are attracted to it. Tax returns can be thousands of dollars, so if a criminal can divert it, it is a big payday.”
“Tax season is the perfect opportunity for cybercriminals to monetize data obtained from relatively low-effort phishing, like the W-2 scam,” said David Vergara, head of global product marketing at VASCO Data Security. “The volume of tax activity, coupled with the speed in which they submit fraudulent returns, makes it virtually impossible for the IRS to catch it all.”
Cybercriminals who file fraudulent tax returns before the taxpayer can legitimately file his or her paperwork and can successfully repeat the process get the biggest prize. “It’s a game of speed and numbers,” Vergara said.
— Karen Epper Hoffman
42 GCN MAY 2017 • GCN.COM