IRS Tax Fraud and IRS’s Woeful Cybersecurity
In late July, the U.S. Government Accounting Office (GAO) issued the results of audit on the Internal Revenue Service (IRS) and its woeful state of information security, a state which continues to allow tax fraud to be committed. If one was to summarize the results of audit, the GAO took the IRS to the woodshed and gave it a stern lecture instead of an ass-whooping. With thousands upon thousands of citizens being victimized by IRS income tax return fraud/identity theft, time is of the essence; taxpayers are getting hosed, regularly. The IRS was deserving of the latter.
GAO Audit
Let’s look at what the GAO found fault with, and then we’ll look at some of the Department of Justice (DoJ) successes in taking down the criminals involved in the income tax fraud schemes and how they are perpetrated so that taxpayers may put this knowledge in reserve and in mind each year, as the race between the criminals and taxpayer to file is very real.
The GAO had provided 94 recommendations prior to the 2016 audit. Of those, 26 had been remedied, and the 2016 audit identified another 98 recommendations. Thus, the IRS has 166 outstanding recommendations. The GAO characterized the current status quo:
Until IRS takes additional steps to address unresolved and newly-identified control deficiencies and effectively implements components of its information security program, its financial reporting and taxpayer data will remain unnecessarily vulnerable to inappropriate and undetected use, modification, or disclosure …
In fairness, the IRS IT team has put to rest some of the earlier recommendations, and frankly, criminals are moving much more rapidly in enhancing their capabilities than the IRS can close on the recommendations. Though we musn’t forget that the IRS itself was successfully breached in 2015 and information was shared on approximately 700,000 taxpayers. It begs the question, What more does the IRS need to convince Congress that resources are needed?
IRS Efforts Addressing Tax Fraud
Though the IRS is behind in locking up its network and taxpayer vulnerabilities, the department not sitting idle. The DoJ and the IRS are working to put behind bars those who are engaged in identify theft and tax return fraud.
Here are some recent IRS fraud cases in which the perpetrators have been caught, and whose cases are in the hands of the DoJ:
- A California resident was sentenced to 25 months for filing false income tax returns. Trong Nguyen and his co-defendant Diep Vo would troll homeless shelters and encampments and “convinced people to write down their names and social security numbers and to sign blank income tax returns.” They sought more than $1.5 million in tax fraud refunds from the IRS.
- A Florida resident was sentenced to 42 months in prison for filing false income tax returns, according to the DoJ. Denise Ross and others stole the personal identifying information from prisoners. They used the info to file more than 100 false returns requesting more than $400,000 in refunds from the IRS.
- A Georgia resident who worked as a mail carrier for the USPS was convicted for “stolen identity refund fraud conspiracy,” according to the DoJ. Harold Coley provided his co-conspirator with addresses, both real and fictitious, along his mail route. The co-conspirator used those addresses to create tax fraud by filing false IRS tax returns. More than 1,600 refund checks amounting more than $2.5 million were sent to addresses along Coley’s route. The identities belonged to primarily 16- and 17-year-olds, and were stolen by another co-conspirator who worked for the Alabama Department of Public Health.
- Four Philadelphia men pleaded guilty to identity theft and conspiring to file fraudulent tax returns, according to the DoJ. These individuals set up bank accounts with Citizens Bank in Philadelphia under the names of “Ronald Tax Service” and “Daniel Tax Service.” They had the IRS deposit the tax refunds from fraudulent returns to these accounts, then would withdraw the money and disperse it among themselves. Two minor red-flag details alluded the criminals in their organizational savvy: There were no companies with these names in Philadelphia and they withdrew the money via cash withdrawals.
The Solution
Clearly, the solution is obvious: Stop the income tax. But that isn’t likely, so the next-best solution is to bring to the table those with expertise to address the GAO’s 166 recommendations. Never has a case for using a managed security services provider (MSSP) been more obvious. The IRS isn’t going to achieve its desired state without private-sector assistance. This expertise is not gratis; expertise comes with a price—a hefty price. Sadly, statements from the U.S. Treasury such as, “Budget reductions have limited the agency’s ability to safeguard taxpayer data,” signals the future does not bode well for the IRS meeting those 166 recommendations.
Prepare for the Worst
We should expect a surge in the monetization of the Equifax breach as we have seen following other breaches—for example, the 2014 Seattle Catholic Archdiocese breach and the compromise of 90,000 individuals. Within weeks we witnessed IRS filings for income tax refunds by the criminals.
Our Recommendations
- Individuals should file their tax return as soon as possible, following the Equifax breach; it will be a race between the cybercriminal and the taxpayers to see who can file the tax return first.
- Should you find yourself being informed by the IRS that you have already filed a return (the criminal’s submission), follow the instructions provided on IRS bulletin, “Identity Theft,” and submit the Form 14039 Identity Theft Affidavit.
- File a complaint with the FTC at identitytheft.gov.
- Be aware of phishing and telephone attempts (alert your seniors) to elicit information or collect “fines.” The IRS does not initiate contact via email or phone. It uses the U.S. Postal Service.