Possible TurboTax Breach Leads to Surge in Tax Fraud

TurboTax, an Intuit product used by millions each year to file income taxes at home, recently announced that state e-filed returns will not be transmitted while the company investigates a surge in customer complaints indicating that tax returns have already been filed in their name. Tax fraud this time of year is hardly news, however, if a breach occurred at one of the largest e-file companies in the country, the recent complaints could only be the tip of the proverbial iceberg. Intuit also reported that it has noticed an increase in suspicious filing this year which indicates that criminals are using stolen financial information to file fraudulent returns and claim the associated tax refunds.

Inuit has already conducted a third-party security audit which hasn’t turned up any signs of a breach at this time, but the large increase in fraudulent returns already reported by users of TurboTax indicates that a breach may have occurred that wiped out all traces of itself (in a fashion similar to the Sony breach reported earlier this year).

It’s worth noting that Intuit has already started processing e-filed returns again, although the investigation into a possible breach is still ongoing. In the meantime, Intuit said in a press release that it will enable multi-factor authentication for all TurboTax users without specifying how that process will work.

If there wasn’t a breach at Intuit, then hackers are simply gathering stolen information via other sources. This information can be purchased very inexpensively via various underground websites. One such site is actively selling stolen financial information for the purposes of tax fraud for as low as $0.04 apiece. Unfortunately, there are many ways hackers can obtain this information in the first place.

possible turbotax breach

Typically, malware is installed on the end-user’s PC which records keystrokes or uses a brute force technique to capture username and password combinations for TurboTax and other DIY tax applications (both locally installed and web-based services are available). Another popular method is to take control of a victim’s inbox as most cloud-based tax services allow users to reset passwords via a password reset link sent to the hijacked inbox. In either instance, once hackers gain access to the account, they have access to everything they need to file a fraudulent return on behalf of the victim – usually sending the tax refund to a prepaid debit card or other non-traceable source. It’s still relatively early in the tax season and this breach is probably not the last threat during this filing season.

Tax fraud has become an increasingly popular tactic for cybercriminals because it is difficult to trace and can be extremely lucrative – especially when everything required to pull it off can be purchased for pennies on the dollar.

The only way to protect yourself from online tax fraud is to ensure the security of your passwords and your PC by performing regular updates for the OS and all third-party applications. If you think you are a victim of tax fraud as a result of using TurboTax or another tax application, contact both the IRS and the software vendor immediately to report the issue.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal