Citing concerns over criminal activity and fraud, the U.S. Internal Revenue Service (IRS) has disabled an automated tool on its Web site that was used
Citing concerns over criminal activity and fraud, the U.S. Internal Revenue Service (IRS) has disabled an automated tool on its Web site that was used to help students and their families apply for federal financial aid. The removal of the tool has created unexpected hurdles for many families hoping to qualify for financial aid, but the action also eliminated a key source of data that fraudsters could use to conduct tax refund fraud.
Last week, the IRS and the Department of Education said in a joint statement that they were temporarily shutting down the IRS’s Data Retrieval Tool. The service was designed to make it easier to complete the Education Department’s Free Application for Federal Student Aid (FAFSA) — a lengthy form that serves as the starting point for students seeking federal financial assistance to pay for college or career school.
In response to requests for comment, the IRS shared the following statement: “As part of a wider, ongoing effort at the IRS to protect the security of data, the IRS decided to temporarily suspend their Data Retrieval Tool (DRT) as a precautionary step following concerns that information from the tool could potentially be misused by identity thieves.”
“The scope of the issue is being explored, and the IRS and FSA are jointly investigating the issue,” the statement continued. “At this point, we believe the issue is relatively isolated, and no additional action is needed by taxpayers or people using these applications. The IRS and FSA are actively working on a way to further strengthen the security of information provided by the DRT. We will provide additional information when we have a specific timeframe for returning the DRT or other details to share.”
The removal of the IRS’s tool received relatively broad media coverage last week. For example, a story in The Wall Street Journal notes that the Treasury Inspector General for Tax Administration — which provides independent oversight of the IRS — “opened a criminal investigation into the potentially fraudulent use of the tool.”
Nevertheless, I could not find a single publication that sought to explain precisely what information identity thieves were seeking from this now-defunct online resource. Two sources familiar with the matter but who asked to remain anonymous because they were not authorized to speak on the record told KrebsOnSecurity that identity thieves were using the IRS’s tool to look up the “adjusted gross income” (AGI), which is an individual or family’s total gross income minus specific deductions.
Anyone completing a FAFSA application will need to enter the AGI as reported on the previous year’s income tax return of their parents or guardians. The AGI is listed on the IRS-1040 forms that taxpayers must file with the IRS each year. The IRS’s online tool was intended as a resource for students who needed to look up the AGI but didn’t have access to their parents’ tax returns.
Eligible FAFSA applicants could use the IRS’s data retrieval tool to populate relevant fields in the application with data pulled directly from the IRS. Countless college Web sites explain how the tool works in more detail; here’s one example (PDF).
As it happens, the AGI is also required to sign and validate electronic tax returns filed with the IRS. Consequently, the IRS’s data retrieval tool would be a terrific resource to help identity thieves successfully file fraudulent tax refund requests with the agency.
Tax-related identity theft occurs when someone uses a Social Security number (SSN) — either a client’s, a spouse’s, or dependent’s — to file a tax return claiming a fraudulent refund. Thieves may also use a stolen Employer Identification Number (EIN) from a business client to create false Forms W-2 to support refund fraud schemes. Increasingly, fraudsters are simply phishing W-2 data in large quantities from human resource professionals at a variety of organizations. However, taxpayer AGI information is not listed on W-2 forms.
Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.
This would not be the first time tax refund fraudsters abused an online tool made available by the IRS. During the height of tax-filing season in 2015, identity thieves used the irs.gov’s “Get Transcript” feature to glean salary and personal information they didn’t already have on targeted taxpayers. In May 2015, the IRS suspended the Get Transcript feature, citing its abuse by fraudsters and noting that some 100,000 taxpayers may have been victimized as a result.
In August 2015, the agency revised those estimates up to 330,000, but in February 2016, the IRS again more than doubled its estimate, saying the number of taxpayers targeted via abuse of the Get Transcript tool was probably closer to 724,000.
The IRS re-enabled its Get Transcript service last summer, saying it had fortified the system with additional security safeguards — such as requiring visitors to supply a mobile phone number that is tied to the applicant’s name.
Now, the IRS is touting its new and improved Get Transcript service as an alternative method for obtaining the information needed to complete the FAFSA.
“If you did not retain a copy of your tax return, you may be able to access the tax software you used to prepare your return or contact your tax preparer to obtain a copy,” the IRS said in its advisory on the shutdown of its data retrieval tool. “You must verify your identity to use this tool. You also may use Get Transcript by Mail or call 1-800-908-9946, and a transcript will be delivered to your address of record within five to 10 days.”
The IRS advises those who still need help completing the FAFSA to visit StudentAid.gov/fafsa or call 1-800-4FED-AID (1-800-433-3243).
DON’T BE THE NEXT VICTIM
Here are some steps you can take to make it less likely that you will be the next victim of tax refund fraud:
-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.
-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.
-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.
–Consider placing a “security freeze” on one’s credit files with the major credit bureaus. See this tutorial about why a security freeze — also known as a “credit freeze,” may be more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit. While it’s true that having a security freeze on your credit file won’t stop thieves from committing tax refund fraud in your name, it would stop them from fraudulently obtaining your IP PIN.
–Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here.
You can skip to the end and leave a comment. Pinging is currently not allowed.