IRS Breach: Fraud Tactics Will Likely be Used Against States
TLP: WHITE | The fraudulent access of more than 100,000 tax filings from the Internal Revenue Service (IRS) underscores the growing availability and value of compromised Personally Identifiable Information (PII), as well as the increasing sophistication and resilience of cyber criminals. The tactics traditionally used in filing fraudulent federal tax returns are evolving to exploit poor authentication and information security practices of taxpayers and tax filing systems alike and are likely to result in an increase of fraudulent New Jersey tax filings.
- New Jersey is one of 43 states that allows taxpayers to file ‘unlinked’ returns in which a state return is filed separate from a federal return. This system is appealing to criminals because many taxpayers who owe federal taxes are still eligible for a state refund. According to the makers of the tax filing software TurboTax, Intuit Inc., recent improvements made by the IRS aimed at identifying and denying fraudulent federal returns led to a sharp increase in fraudulent state returns in the 2015 tax filing season.
- Large-scale data breaches, such as those recently impacting the healthcare sector, often compromise customers’ social security numbers, dates of birth, and other forms of PII. This data is then sold on the black market, where it is combined with other stolen information to construct complete identity profiles or obtain information to answer knowledge-based authentication questions, such as a mother’s maiden name.
- Cyber criminals are able to use one set of compromised credentials—the combination of an individual’s email address or username and password—to carry out similar tactics employed to defeat the IRS’s authentication system, and are often successful because many online users often use the same password for multiple accounts. While there are no industry-wide standards for two-step authentication, one of the most effective means of verifying a user’s legitimacy is a unique code sent to a confirmed mobile device.
Any agency with comments or questions about this document should contact the NJCCIC at firstname.lastname@example.org.
Traffic Light Protocol: WHITE
TLP: WHITE INFORMATION MAY BE DISTRIBUTED WITHOUT RESTRICTION