Home > Identity Theft > 5 Ways Hackers Could Have Stolen All Those Tax Returns

Comments 2 Comments

Last week, the Internal Revenue Service revealed that a group of organized criminals effectively walked through their front door and used an application on its “Get Transcript” site to pore over the past tax returns of more than 100,000 Americans. According to several news reports, the stolen information was deployed to commit tax fraud, with an estimated take of up to $50 million in bogus tax refunds before the IRS discovered the ploy.

“We’re confident that these are not amateurs,” John Koskinen, the IRS commissioner, told the New York Times. “These actually are organized crime syndicates that not only we but everybody in the financial industry are dealing with.”

But if I may be so bold, isn’t the IRS supposed to be better at this? It is, after all, the chief tax collector for the U.S. government, for Heaven’s sake. It’s frustrating that the government isn’t better, but it’s not terribly shocking that scammers got through, considering the well-practiced foe the agency is facing.

Unless you’ve been sleeping off a fairytale curse, it should not create cognitive dissonance that organized criminal syndicates committing information-based crimes are on the rise. There are myriad reasons for this, and more than a few involve bad habits at the consumer level, but the overarching reason this particular crime wave keeps growing is simple: opportunity. Data security sadly lags behind both innovation and the hordes of increasingly sophisticated criminals who are hell-bent on exploiting human error and other weaknesses in the way personally identifiable information (PII) is collected and stored. Our digital lives are like so many undiscovered pharaohs’ tombs — wildly valuable and poorly protected — waiting to be discovered.

The millions in tax refunds stolen (or yet to be stolen) by the “Get Transcript” scammers was almost certainly made possible by the ready availability of stolen personal data. Sure it was a brazen heist, but it was also a simple one. The criminals drilled through a multiple-factor authentication process that included a taxpayer’s Social Security number (SSN), date of birth and street address (not to mention a host of “out of wallet” questions like “What was your high school mascot?”) — information that can be had from a variety of sources. Here are just a few of the ways the masterminds behind the IRS hack could have gotten the information they needed to walk through the U.S. government’s front door.

1. Buying PII on the Dark Web

The Dark Web may sound like something straight out of a Marvel comic book, but it is very real. While it may not be as big as lore would suggest, and it is to a distressing extent populated with sexual content that is both illegal and an affront to our collective humanity, it also hosts the black markets where criminals buy and sell PII. Ever wonder where all those email addresses, SSNs, phone numbers, ZIP codes, and credit card numbers in the over one billion files that have been compromised end up? It’s a good bet you won’t find them in the magic trunk of the Identity Fairy, but you can find that information on the Dark Web.

2. Social Engineering

Whether you call it social engineering, wetware or the human element, we are often the cause of our own demise — but it doesn’t have to rise to the level of a Shakespearean tragedy. Phishing, spearphishing, vishing (phone-based phishing), smishing (text-based phishing) are different tactics to get consumers to part with their PII. The bottom line here is that if someone asks for your information, make sure you know who’s doing the asking. If you receive a phone call from a company with which you do business, hang up and call them back. Ditto with a cold call from a company or government entity you either think you know or don’t know.

3. Building a Dossier

While identity thieves may buy your information on the Dark Web and start cobbling together a file on you, they can do it more simply by data-scraping the social networking sites that you use. In the same way advertisers use data purchased from Facebook and other social media sites to find male cat owners who only buy organic products, hackers can find out enough about you to answer security questions in the authentication process of many websites and companies with which you do business.

4. Hacking

Why buy the info you need on the Dark Web when some hackers offer it up for free? While some hackers are inspired by profits, others are driven by the desire to publicly shame and embarrass companies by getting access to sensitive information then posting it for the world to see.

Hacked information is a treasure trove for the kind of approach used in the IRS heist. And there is an abundance of free hacked data out there, especially after the attacks on Target, Home Depot and countless other compromised companies and organizations in recent years.

5. Insiders

This is probably the hardest tactic to defend against: a bad player with access to sensitive information. Employees aren’t always honest, or at the very least not at all immune to making mistakes. Those who are in a moment of personal crisis, for example, can be extorted or bribed to hand over information or leave a room with files open and unsecured for a predetermined half hour.

According to anonymous sources cited by the Associated Press, the “Get Transcript” scammers were located in Russia, but unfortunately in our connected world it matters less and less where any particular crime originates. In a significant number of cases, hackers operate beyond our jurisdiction or under the protection of foreign governments with little incentive to cooperate with us. Ultimately, what matters here is that 100,000 taxpayers had their sensitive data stolen and are now at risk for other crimes, and that millions of our tax dollars went walkabout.

Whether data compromises give rise to breaking news stories or pounding headaches, anything less than a zero-tolerance attitude toward identity-related crimes won’t get us to the place we need to be. It may be true at this moment that there is no way to stop the flow of ill-gotten gains nabbed by criminals in possession of our PII — but the first step is adopting a “no compromise is acceptable” rule, and holding organizations to that standard.

What Can You Do?

As for consumers – now that their data is out there, there’s no telling how it could be further used against them. While it’s impossible to stop every form of identity fraud once your data is in the hands of a criminal, the best thing you can do is monitor for problems and work to contain and repair the damage as soon as you detect it. In terms of your finances, keep an eye on your financial accounts – daily. And check your credit reports at least once a year – you can get them for free on AnnualCreditReport.com – and consider using free monitoring tools that are out there (like Credit.com’s free credit report summary, which updates your info monthly), or any of the number of reputable paid services.

But it’s clear as ever: The focus now must be on stanching the seemingly universal information hemorrhage that’s underway, and denying Cyber Cossacks a piece of our PII.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its affiliates.

More on Identity Theft:

Image: iStock

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

  • suzanne

    I just got a voice mail telling me the IRS is going to sue me and they gave me an eastern Washington State number to call. This is a scam. The IRS does not sue people, they just send letters telling you what you owe. Could someone have stolen my SSN so as to phone me?

    • http://www.credit.com/ Credit.com Credit Experts

      Did they have your SSN? But yes, those numbers can be stolen, sold, accessed in a breach, etc. Good you realized that the IRS would not have phoned you.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team