Federal agencies aren’t the only ones trying to leverage analytics to get better at their game. Cyber crooks are doing it, as well.
Last week the Internal Revenue Service (IRS) acknowledged it paid out as much as $50 million in refund checks on false tax returns filed by fraudsters who managed to gather enough information about real taxpayers to break through agency security.
“These are impostors pretending to be someone who has enough information” to get more, IRS Commissioner John Koskinen told the Associated Press. “These are extremely sophisticated criminals with access to a tremendous amount of data.”
But it’s not just the volume of data that makes these unconventional breaches so interesting. It’s what the Wall Street Journal’s John McKinnon calls the “crooks’ ability to carefully aggregate vast amounts of personal data from multiple sources, and plan and execute highly sophisticated schemes.”
Crooks used one of the IRS’ online services to gain access to prior-year tax returns about 104,000 times between February and May of this year, Koskinen said. That allowed them to grab Social Security numbers, birth dates, street addresses, and passwords. Then they combined that information with other stolen personal information – possibly culled from social media sites, Koskinen said – to fill out 2014 tax returns.
Fewer than 15,000 fraudulent refunds were paid, the IRS said. About 100,000 other attempts to breach security were stopped by the IRS’ multi-stage authentication process.
By combining multiple data sources, these cyber crooks bypassed conventional hacks and, as Rep. Peter Roskam (R-IL) said, “walked in the front door.”
Koskinen said the IRS caught on to the thieves when technicians noticed an unusual increase in the volume of taxpayers using the IRS’ online “Get Transcript” service, which provides access to prior-year returns. The agency temporarily shut down the service once it was aware of the breach.
The IRS is a magnet for fraud because it can deliver cash directly to so many people’s bank accounts. Michael McKenney, the Treasury Department’s deputy inspector general for audit, recently wrote that IRS is getting better at detecting fraud. For example, he wrote, “as of October 9, 2014, its cluster filtering tool identified 517,316 tax returns and prevented the issuance of approximately $3.1 billion in fraudulent tax refunds.”
During the 2013 tax-filing season, the IRS detected and stopped $24.3 billion in identity theft refund fraud, McKenney said. But he estimated in an April 24 report that identity theft will cost the IRS as much as $26 billion more. Losses for the 2013 tax filing season reached $5.75 billion, he said.
Join the conversation. Post a comment below or email me at firstname.lastname@example.org.