IRS, Justice, States Confront Wave of Tax Refund Fraud

SEATTLE — A new epidemic of identity theft has cost states and taxpayers billions of dollars as sophisticated criminals target state and federal tax returns, sending authorities scrambling to catch up to the increasingly global threat.

The Internal Revenue Service identified more than 19 million suspicious tax returns filed between 2011 and 2014, two senior government officials told state legislators on Monday, as thieves target both social media channels and tax preparation software to obtain consumer identity information they can then use to intercept refunds owed to taxpayers.

Those fraudulent tax filings have cost consumers $68 billion in just the last four tax years.

“This is a new type of crime for the 21st century. It’s part white-collar, it’s part street crime,” Cory Smith, a senior litigator at the Department of Justice and a member of the interagency panel set up to fight the fraud, said at the annual meeting of the National Conference of State Legislatures. And, he added, the cost is exploding: “We’re not talking about millions, or hundreds of millions, we’re talking about billions of dollars.”

State and federal officials have watched with growing angst as identity thieves either steal information from public social media networks or from tax preparation software companies. The thieves then use that data to access a taxpayer’s previous returns, which they use to mimic the next year’s return.

Those mimicked, false returns direct refunds to bank accounts controlled by identity thieves, or to alternative payment methods like pre-paid debit cards. In many cases, the fraudsters are able to provide authenticating data to the IRS or state tax agencies using the identity information they have already stolen. The taxpayer whose data and refund have been stolen only discover the theft when they try to file their real tax returns.

State and federal agencies have raced to catch up. The IRS uses 195 filters to detect fraudulent returns, said Paul Mamo, deputy director of the agency’s Submissions Processing Division. Smith, the Justice Department lawyer, is a member of the Stolen Identity Refund Fraud Board — jokingly called the SIRF Board — that includes representatives from agencies like the FBI, the Department of Homeland Security and the Secret Service. Fast-acting task forces have been established in cities where tax refund fraud is rampant, like Tampa, Miami, Charlotte, Boston and Allentown, Pa.

States are taking steps to prevent tax refund fraud, too. After identifying 6,000 to 8,000 suspicious tax returns earlier this year, Utah changed its tax law to require employers to file tax information with their revenue department at the same time as consumers, so they can verify a few more data points on a filed return.

So are companies that handle the millions of tax filers who use software to prepare their own returns every year. In 2011, do-it-yourself tax software companies, like TurboTax and Intuit, asked the IRS for more leeway to analyze the tax returns filed through their software after they noticed a disproportionate number of refunds flooding into a single zip code in Tampa and many more into a single bank account.

But with every safeguard state and federal agencies erect, criminals find a new avenue of attack.

“We’re incredibly reactive in this area. We see something and we shut it down, but believe me, the fraudsters are four or five steps ahead of us,” said David Sullivan, head of the Rhode Island Department of Revenue.

The Justice Department prosecuted about 900 identity thieves in 2014, down from a peak of 1,100 in 2012. Increasingly, Smith said, prosecutors are trying to work their way back up the criminal chain, from the low-level street criminal using a pre-paid debit card to the more sophisticated hacker stealing digital data.

Those higher-level thieves are increasingly based overseas, Smith said, in countries like Nigeria, Ghana, Russia, China, Vietnam and former Soviet states like Belarus. Other lower-level identity thieves sometimes impersonate medical personnel in urgent care centers or retirement homes, to access records containing sensitive data.

“This particular enemy is very well-organized,” the IRS’s Mamo said. “Once you have the name and the [Social Security Number] of anybody, you can do pretty much whatever you want to do in the financial world.”