TurboTax, an Intuit product used by millions each year to file income taxes at home, recently announced that state e-filed returns will not be transmitted while the company investigates a surge in customer complaints indicating that tax returns have already been filed in their name. Tax fraud this time of year is hardly news, however, if a breach occurred at one of the largest e-file companies in the country, the recent complaints could only be the tip of the proverbial iceberg. Intuit also reported that it has noticed an increase in suspicious filing this year which indicates that criminals are using stolen financial information to file fraudulent returns and claim the associated tax refunds.
Inuit has already conducted a third-party security audit which hasn’t turned up any signs of a breach at this time, but the large increase in fraudulent returns already reported by users of TurboTax indicates that a breach may have occurred that wiped out all traces of itself (in a fashion similar to the Sony breach reported earlier this year).
It’s worth noting that Intuit has already started processing e-filed returns again, although the investigation into a possible breach is still ongoing. In the meantime, Intuit said in a press release that it will enable multi-factor authentication for all TurboTax users without specifying how that process will work.
If there wasn’t a breach at Intuit, then hackers are simply gathering stolen information via other sources. This information can be purchased very inexpensively via various underground websites. One such site is actively selling stolen financial information for the purposes of tax fraud for as low as $0.04 apiece. Unfortunately, there are many ways hackers can obtain this information in the first place.
Typically, malware is installed on the end-user’s PC which records keystrokes or uses a brute force technique to capture username and password combinations for TurboTax and other DIY tax applications (both locally installed and web-based services are available). Another popular method is to take control of a victim’s inbox as most cloud-based tax services allow users to reset passwords via a password reset link sent to the hijacked inbox. In either instance, once hackers gain access to the account, they have access to everything they need to file a fraudulent return on behalf of the victim – usually sending the tax refund to a prepaid debit card or other non-traceable source. It’s still relatively early in the tax season and this breach is probably not the last threat during this filing season.
Tax fraud has become an increasingly popular tactic for cybercriminals because it is difficult to trace and can be extremely lucrative – especially when everything required to pull it off can be purchased for pennies on the dollar.
The only way to protect yourself from online tax fraud is to ensure the security of your passwords and your PC by performing regular updates for the OS and all third-party applications. If you think you are a victim of tax fraud as a result of using TurboTax or another tax application, contact both the IRS and the software vendor immediately to report the issue.