Tax fraudsters are now using the U.S. Internal Revenue Service’s online self-service to get the information they need to file fraudulent tax returns and steal refunds, Krebs on Security reported on Monday (March 30).
The problem came to light after a reader named Michael Kasper contacted security reporter Brian Krebs to describe how, after he was unable to file his tax return through TurboTax — which said the IRS rejected the filing because a return had already been filed — he was finally able to track down where his refund had gone, a process that took more than a month.
It required contacting the IRS, paying a $50 fee to get a copy of the fraudulent tax return, contacting the bank where the refund was direct-deposited, contacting the local police department for that bank, and putting holds on his credit reports and the fake account at IRS.com that had been opened in Kasper’s name.
In fact, that account appears to have been the key for the fraudster to collect the necessary information to file the phony tax return, since the transcript he received of the fraudulent return suggested that the fraudsters had copied all the information from his previous year’s W-2 form, increasing the amounts slightly for the new return.
“Kasper said he can’t prove it, but he believes the scammers obtained that W-2 data directly from the IRS itself, after creating an account at the IRS portal in his name (but using a different email address) and requesting his transcript,” Krebs on Security reported.
“‘The person who submitted it somehow accessed my tax return from the previous year 2013 in order to list my employer and salary from that year, 2013, then use it on the 2014 return, instead,” Kasper said. “In addition, they also submitted a corrected W-2 that increased the withholding amount by exactly $6,000 to increase their total refund due to $8,936.”
While the checking account that was used to direct-deposit the refund was one that Kasper had never used, the address on the return was Kasper’s, although he received no notification of a return or refund.
In the face of increasing tax return identity fraud, in July 2014 the IRS issued new regulations that limited the number of direct-deposit refunds to three, after which a paper check would have to be sent to the street address on the return. Unfortunately for Kasper, there was only one refund involved.