5 Ways Hackers Could Have Stolen All Those Tax Returns

Last week, the Internal Revenue Service revealed that a group of organized criminals effectively walked through their front door and used an application on its “Get Transcript” site to pore over the past tax returns of more than 100,000 Americans. According to several news reports, the stolen information was deployed to commit tax fraud, with an estimated take of up to $50 million in bogus tax refunds before the IRS discovered the ploy.

“We’re confident that these are not amateurs,” John Koskinen, the IRS commissioner, told the New York Times. “These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”

But if I may be so bold, isn’t the IRS supposed to be better at this? It is, after all, the chief tax collector for the U.S. government, for Heaven’s sake. It’s frustrating that the government isn’t better, but it’s not terribly shocking that scammers got through, considering the well-practiced foe the agency is facing.

Unless you’ve been sleeping off a fairytale curse, it should not create cognitive dissonance that organized criminal syndicates committing information-based crimes are on the rise. There are myriad reasons for this, and more than a few involve bad habits at the consumer level, but the overarching reason this particular crime wave keeps growing is simple: opportunity. Data security sadly lags behind both innovation and the hordes of increasingly sophisticated criminals who are hell-bent on exploiting human error and other weaknesses in the way personally identifiable information (PII) is collected and stored. Our digital lives are like so many undiscovered pharaohs’ tombs — wildly valuable and poorly protected — waiting to be discovered.

The millions in tax refunds stolen (or yet to be stolen) by the “Get Transcript” scammers was almost certainly made possible by the ready availability of stolen personal data. Sure it was a brazen heist, but it was also a simple one. The criminals drilled through a multiple-factor authentication process that included a taxpayer’s Social Security number (SSN), date of birth and street address (not to mention a host of “out of wallet” questions like “What was your high school mascot?”) — information that can be had from a variety of sources. Here are just a few of the ways the masterminds behind the IRS hack could have gotten the information they needed to walk through the U.S. government’s front door.

1. Buying PII on the Dark Web

The Dark Web may sound like something straight out of a Marvel comic book, but it is very real. While it may not be as big as lore would suggest, and it is to a distressing extent populated with sexual content that is both illegal and an affront to our collective humanity, it also hosts the black markets where criminals buy and sell PII. Ever wonder where all those email addresses, SSNs, phone numbers, ZIP codes, and credit card numbers in the over one billion files that have been compromised end up? It’s a good bet you won’t find them in the magic trunk of the Identity Fairy, but you can find that information on the Dark Web.

2. Social Engineering

Whether you call it social engineering, wetware or the human element, we are often the cause of our own demise — but it doesn’t have to rise to the level of a Shakespearean tragedy. Phishing, spearphishing, vishing (phone-based phishing), smishing (text-based phishing) are different tactics to get consumers to part with their PII. The bottom line here is that if someone asks for your information, make sure you know who’s doing the asking. If you receive a phone call from a company with which you do business, hang up and call them back. Ditto with a cold call from a company or government entity you either think you know or don’t know.

3. Building a Dossier

While identity thieves may buy your information on the Dark Web and start cobbling together a file on you, they can do it more simply by data-scraping the social networking sites that you use. In the same way advertisers use data purchased from Facebook and other social media sites to find male cat owners who only buy organic products, hackers can find out enough about you to answer security questions in the authentication process of many websites and companies with which you do business.

4. Hacking

Why buy the info you need on the Dark Web when some hackers offer it up for free? While some hackers are inspired by profits, others are driven by the desire to publicly shame and embarrass companies by getting access to sensitive information then posting it for the world to see.

Hacked information is a treasure trove for the kind of approach used in the IRS heist. And there is an abundance of free hacked data out there, especially after the attacks on Target, Home Depot and countless other compromised companies and organizations in recent years.

5. Insiders

This is probably the hardest tactic to defend against: a bad player with access to sensitive information. Employees aren’t always honest, or at the very least not at all immune to making mistakes. Those who are in a moment of personal crisis, for example, can be extorted or bribed to hand over information or leave a room with files open and unsecured for a predetermined half hour.

According to anonymous sources cited by the Associated Press, the “Get Transcript” scammers were located in Russia, but unfortunately in our connected world it matters less and less where any particular crime originates. In a significant number of cases, hackers operate beyond our jurisdiction or under the protection of foreign governments with little incentive to cooperate with us. Ultimately, what matters here is that 100,000 taxpayers had their sensitive data stolen and are now at risk for other crimes, and that millions of our tax dollars went walkabout.

Whether data compromises give rise to breaking news stories or pounding headaches, anything less than a zero-tolerance attitude toward identity-related crimes won’t get us to the place we need to be. It may be true at this moment that there is no way to stop the flow of ill-gotten gains nabbed by criminals in possession of our PII — but the first step is adopting a “no compromise is acceptable” rule, and holding organizations to that standard.

What Can You Do?

As for consumers – now that their data is out there, there’s no telling how it could be further used against them. While it’s impossible to stop every form of identity fraud once your data is in the hands of a criminal, the best thing you can do is monitor for problems and work to contain and repair the damage as soon as you detect it. In terms of your finances, keep an eye on your financial accounts – daily. And check your credit reports at least once a year – you can get them for free on AnnualCreditReport.com – and consider using free monitoring tools that are out there (like Credit.com’s free credit report summary, which updates your info monthly), or any of the number of reputable paid services.

But it’s clear as ever: The focus now must be on stanching the seemingly universal information hemorrhage that’s underway, and denying Cyber Cossacks a piece of our PII.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its affiliates.