If you were denied the ability to file your tax forms because “they had already been filed,” you are most likely the victim of a cyber breach and someone else is enjoying your tax refund money. You also are a victim of identity theft.
KrebsonSecurity published information on April 14 about a Web-based program that an organized cyber gang has been using to track bogus tax returns. According to the information found by Brian Krebs, it appears that the HR departments at more than a half-dozen U.S. companies had been hacked. Thieves took all the data needed to complete the fraudulent forms on nearly all employees including the Social Security numbers of the employees, spouses and even children, address, wages and employer identification number.
The fraudulent forms were filed using the e-filing service from H&R Block. The thieves had refunds routed to prepaid American Express cards that correspond either to specific drop addresses or to co-conspirators. In the past these were local gangs that cashed out the cards, kept a fee and turned the rest over to the organizing group.
The scam has enriched the crime gang by more than $1 million to date.
Alex Holden, chief information security officer at Hold Security, said while tax fraud is not new, the use of hacked Human Resource programs is taking breaches to a new level.
“The depth of this specific operation permits them to act as a malicious middle-man and (the) tax preparation company to be an unwitting ‘underwriter’ of this crime,” Holden said. “And the victims may be exploited not only for 2013 tax year but also down the road... Companies should look at their human resource infrastructure to ensure that payroll, taxes, financial, medical, and other benefits are afforded the same level of protection as their other mission-critical assets.”
One victim told Krebs that his company said there had been a security breach at a cloud provider that was used to handle company employee benefits and payroll systems. “My sister-in-law is an accountant, so I raced to her and asked her to help us file our taxes immediately. She pushed them through quickly but the IRS came back and said someone had already filed our taxes a few days before us.”
The cloud provider of the payroll services is Ultimate Software according to company records. Further investigation concluded that the attackers had stolen the credentials/passwords of each victim company’s HR manager.
“Although we are aware that several customers’ employees were victims of tax fraud, we have no reason to believe this unauthorized access was the result of a compromise of our own security,” Jody Kaminsky of Ultimate Software told Krebs. “Rather, our investigation suggests this is the result of stolen login information on the end-user level and not our application.”
According to a 2013 report from the Treasury Inspector General’s office, the IRS issued nearly $4 billion in bogus tax refunds in 2012. In the past thieves bought information, used information stolen in general breaches or from paper documents that were not destroyed.
The problem continues to grow with the increase in e-filing which allows the user to be anonymous. Last year, the IRS assigned more than 3,000 employees to work on identity-theft cases, twice as many as the year before. Sorting the bogus returns from legitimate ones takes time and often the first indicator is when the victim finds out someone else filed a return using their personal identifying information. The sheer number of e-returns makes it difficult to find patterns such as 500 returns with refunds being sent to the same address.
In 2000 e-filing made up 23.5 percent of total tax returns, a little more than 30 million. By the end of 2014, the IRS expects that number to reach more than 125 million legitimate filers.
According to KrebsonSecurity, “The most frightening aspect of this tax crimeware panel is that its designers appear to have licensed it for resale. It’s not clear how much this particular automated fraud machine costs, but sources in the financial industry tell this reporter that this same Web interface has been implicated in multiple tax return scams targeting dozens of companies in this year’s tax-filing season.”