IRS issues new tax scam warnings, FSA tool suspended due to security concerns

DRT tool suspended as a precaution, but BEC victims have already reported abuse

Magdalena Petrova

The Internal Revenue Service (IRS) has issued a new warning to businesses, taxpayers, and tax prep professionals about Phishing scams targeting the sensitive information they work with on a daily basis. Soon after, the IRS and the US Department of Education suspended a tool that helps people obtain financial aid for college.

The warning from the IRS last week reminded taxpayers and those associated with the processing of tax returns, about last-minute Phishing scams starting to circulate. The agency advised them to be on the lookout for requests asking for deposit changes for refunds, or account updates.

"[One] new scam poses as taxpayers asking their tax preparer to make a last-minute change to their refund destination, often to a prepaid debit card. The IRS urges tax preparers to verbally reconfirm information with the client should they receive last-minute email request to change an address or direct deposit account for refund," the IRS explained.

In addition, taxpayers were told to watch for suspicious emails from tax software providers asking for updated account information. For example, last year, criminals fraudulently used popular tax brands, such as Turbo Tax and H&R Block, to promote false account update scams.

W-2 Phishing scams affect 120,000 people and counting

During the first quarter of 2017, more than 120,000 people working for more than 125 organizations have been impacted by Phishing scams targeting W-2 records. The scams, also known as BEC attacks, have been a serious thorn in the side of the IRS, but for those affected directly – it's becoming a nightmare.

One BEC victim told Salted Hash that in addition to the steps needed to protect against identity theft and tax fraud after having their W-2 stolen, they discovered their information was used setup a fraudulent Federal Student Aid application, which prevented them from obtaining one themselves.

Last week, the US Department of Education and the IRS issued a joint statement, alerting those seeking financial assistance that the IRS Data Retrieval Tool (DRT) was being suspended as a security precaution.

The tool allows people to pull tax information into the FSA application automatically, but it has been abused by scammers in the past, and the situation is the same this year.

"As part of a wider, ongoing effort at the IRS to protect the security of data, the IRS decided to temporarily suspend the Data Retrieval Tool (DRT) as a precautionary step following concerns that information from the tool could potentially be misused by identity thieves. The scope of the issue is being explored, and the IRS and FSA are jointly investigating the issue. At this point, we believe the issue is relatively isolated, and no additional action is needed by taxpayers or people using these applications," the joint statement said.

One of the key elements of data the tool provides scammers is Adjusted Gross Income, or AGI. When scammers use Phishing to compromise W-2 records, they get all the personal information needed to file taxes, but some elements are missing including AGI. This is needed to bypass a number of security checks, including signing and validating tax returns.

This is why so many of the 120,000-people impacted by the BEC / Phishing attacks this year reported fraudulent tax returns filed under their names. Once the scammers had the W-2 data, they turned to DRT to pull the last little bits of data needed to complete the filing.

Last year, between January and September, the IRS said that 1.2 billion fraudulent returns were filed by scammers, representing some $7.2 billion dollars. The good news is, those were the returns the IRS was able to catch.

But what the IRS hasn't stated, is just how much money was lost to fraud. Some estimates place that figure in the billions too.

According to the Government Accountability Office, who published the IRS's Fiscal Years 2015 and 2016 report last November, the IRS paid out $2.24 billion in fraudulent returns during calendar year 2015, which is 15-percent of the total amount attempted that year. The figures for 2016 are still pending. For comparison, in 2013 the GAO said the IRS paid out $5.8 billion fraudulent returns.

So, if there is an upside to dealing with all of this fraud, it's that the new security precautions and measures put in place by the IRS are helping somewhat. They're not perfect, but they're having an impact. If anything, the biggest help the IRS has had over the last few years are the partnerships with banks and tax professionals.

The IRS has a brief document concerning taxpayer security awareness, it's worth reading and sharing with those outside of the security community.

To comment on these scams, head to our Facebook page.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)