IRS Tax Fraud and IRS’s Woeful Cybersecurity

In late July, the U.S. Government Accounting Office (GAO) issued the results of audit on the Internal Revenue Service (IRS) and its woeful state of information security, a state which continues to allow tax fraud to be committed. If one was to summarize the results of audit, the GAO took the IRS to the woodshed and gave it a stern lecture instead of an ass-whooping. With thousands upon thousands of citizens being victimized by IRS income tax return fraud/identity theft, time is of the essence; taxpayers are getting hosed, regularly. The IRS was deserving of the latter.

GAO Audit

Let’s look at what the GAO found fault with, and then we’ll look at some of the Department of Justice (DoJ) successes in taking down the criminals involved in the income tax fraud schemes and how they are perpetrated so that taxpayers may put this knowledge in reserve and in mind each year, as the race between the criminals and taxpayer to file is very real.

The GAO had provided 94 recommendations prior to the 2016 audit. Of those, 26 had been remedied, and the 2016 audit identified another 98 recommendations. Thus, the IRS has 166 outstanding recommendations. The GAO characterized the current status quo:

Until IRS takes additional steps to address unresolved and newly-identified control deficiencies and effectively implements components of its information security program, its financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure …

In fairness, the IRS IT team has put to rest some of the earlier recommendations, and frankly, criminals are moving much more rapidly in enhancing their capabilities than the IRS can close on the recommendations. Though we musn’t forget that the IRS itself was successfully breached in 2015 and information was shared on approximately 700,000 taxpayers. It begs the question, What more does the IRS need to convince Congress that resources are needed?

IRS Efforts Addressing Tax Fraud

Though the IRS is behind in locking up its network and taxpayer vulnerabilities, the department not sitting idle. The DoJ and the IRS are working to put behind bars those who are engaged in identify theft and tax return fraud.

Here are some recent IRS fraud cases in which the perpetrators have been caught, and whose cases are in the hands of the DoJ:

The Solution

Clearly, the solution is obvious: Stop the income tax. But that isn’t likely, so the next-best solution is to bring to the table those with expertise to address the GAO’s 166 recommendations. Never has a case for using a managed security services provider (MSSP) been more obvious. The IRS isn’t going to achieve its desired state without private-sector assistance. This expertise is not gratis; expertise comes with a price—a hefty price. Sadly, statements from the U.S. Treasury such as, “Budget reductions have limited the agency’s ability to safeguard taxpayer data,” signals the future does not bode well for the IRS meeting those 166 recommendations.

Prepare for the Worst

We should expect a surge in the monetization of the Equifax breach as we have seen following other breaches—for example, the 2014 Seattle Catholic Archdiocese breach and the compromise of 90,000 individuals. Within weeks we witnessed IRS filings for income tax refunds by the criminals.

Our Recommendations

  • Individuals should file their tax return as soon as possible, following the Equifax breach; it will be a race between the cybercriminal and the taxpayers to see who can file the tax return first.
  • Should you find yourself being informed by the IRS that you have already filed a return (the criminal’s submission), follow the instructions provided on IRS bulletin, “Identity Theft,” and submit the Form 14039 Identity Theft Affidavit.
  • File a complaint with the FTC at
  • Be aware of phishing and telephone attempts (alert your seniors) to elicit information or collect “fines.” The IRS does not initiate contact via email or phone. It uses the U.S. Postal Service.

Christopher Burgess

Christopher Burgess

Christopher Burgess (@burgessct) is a writer, speaker and commentator on security issues. He is a former Senior Security Advisor to Cisco and served 30+ years within the CIA which awarded him the Distinguished Career Intelligence Medal upon his retirement. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century”. He also founded the non-profit: Senior Online Safety.

burgesschristopher has 186 posts and counting.See all posts by burgesschristopher