Amid concerns of fraudulent tax returns nationwide, TurboTax temporarily suspended e-filing on Feb. 6, according to The Wall Street Journal. The service was back online after 24 hours, but various state governments continue their cessation of accepting tax returns from TurboTax while the matter can be investigated.
Fraudulent tax returns were estimated to cost the IRS $5.2 billion in 2014, according to an audit by the Government Accountability Office, with $24.2 billion in distribution prevented. The reason for the current attacks is still under investigation by parent company Intuit as well as data security consultant Palantir, but Intuit is adamant that it is not because of their software, but rather a result of data breaches elsewhere, such as the ones at Home Depot, Target, and more recently Anthem Health.
“The information used to file fraudulent returns was obtained from other sources outside the tax preparation process,” the company said in a statement. Despite this, Minnesota, Massachusetts, and Vermont have said that they will not accept state tax returns filed through TurboTax software, though this does not extend to other online filing services and ones filed by tax professionals using Intuit products.
So far, the spat of fraudulent claims has not spread to other online services like H&R Block, which some analysts claim is due to H&R Block requiring customers to e-file federal taxes before proceeding to state taxes, requiring added levels of security that are harder to hack than on the state level. TurboTax doesn’t require this, but has recently implemented a multi-factor authentication protocol for added security.
The tax fraud is carried out by hackers who access information such as bank accounts and Social Security numbers from data sources, then using services like TurboTax to file taxes under the victims’ names to claim the refund. When a victim goes to file their taxes, they are locked out because the software thinks they filed already. Based on reports that the hacks this year are similar in size to the returns from 2013, the stolen identities are rumored to have been stolen for at least a couple years.