Practice Management Real tax fraud stories: It can happen to your firm Read the Article Open Share Drawer Share this:Click to share on Twitter (Opens in new window)Click to share on Facebook (Opens in new window)Click to share on LinkedIn (Opens in new window) Written by Kevin Smith Modified Feb 15, 2022 3 min read On Jan. 24, 2022, an anonymous fraudster filed 353 federal returns through a tax professional’s software using the firm’s electronic filing identification number (EFIN) credentials. The taxpayer identities of the 353 returns originated from seven distinct firms from different states in the eastern United States. This occurred on the first day of the tax year 2021 filing season. Here is an example of how these hacks occur: The fraudsters breach tax and accounting firms throughout the prior year, stealing data from the firm’s office or home machines by remote access using the login identity of someone in the firm. None of the compromised firms had elected to enhance the security of their account by taking the simple step to add two-factor authentication, which would have required the fraudsters to have access not only to valid account credentials, but also a trusted device. Typically, the fraudster sends a phishing email to firm employees, containing a link that, when clicked, deploys malware—usually a remote access backdoor and a keylogger. Keyloggers are designed to record all the keystrokes on a computer, and specifically looks for username and password combinations. This information is sent back to remote fraudsters by piggybacking on normal internet traffic from the computer, disguising its activity. Once the fraudsters have stolen the client files, the fraudster reworks the returns, adding in income, dependents, or other refundable credits to enlarge the refunds to $5,000, and even $10,000 or more per taxpayer. The fraudster also changes bank direct deposit information to a bank account he controls. When the fraudsters have accumulated a batch of fraudulent returns ready to be filed, they will typically use the credentials and software of one of the previously compromised firms to file the returns. To the IRS and state agencies, this appears as if the returns were filed by that firm, regardless of which firm the returns actually belonged to the prior tax year. The “filing” firm does not even know it was hacked, and the firm has no idea the fraudster filed returns using its credentials from a remote location—many times outside of the United States. In this large data breach, none of the seven firms knew they had been breached until they were notified that returns in their clients’ names had already been accepted by the IRS with large refunds attempting to be routed to the hacker-controlled bank accounts. This scheme resulted in 29 stolen identity refund fraud returns being filed for one firm, 43 for another, and 82 returns from yet another firm, leading to significant inconvenience for the firms’ clients, harm to the firms’ reputations, substantial additional work filing corrected returns on paper, and lost revenue to the firms. None of the seven firms had elected to turn on the additional layer of protection offered by two-factor authentication. Using two-factor authentication enhances the security of your account by requiring a person trying to access the account to also have access to a trusted device. Here is how to set up two-factor authentication for your firm’s logins: Intuit® Lacerte® Tax Intuit ProSeries® Tax Intuit ProConnect™ Tax Previous Post Intuit® eSignature increases compliance and service efficiencies for virtual tax… Next Post Intuit® eSignature offers Leppert Group a seamless solution for secure… Written by Kevin Smith Kevin Smith is a senior fraud prevent specialist with Intuit®, and has been with the company for 23 years. After holding several positions, he moved into fraud prevention in 2015. Kevin has seen cybersecurity evolve from the institution of the PTIN program in the late ‘90s to today’s advanced threat environment, with international crime syndicates working 24/7 to steal a taxpayer’s personally identifiable information. Kevin is a member of the Tax Professionals Subgroup where he represents Intuit at the IRS Security Summit, and leads the EFIN Compliance and Licensing Fraud team for Lacerte®, ProSeries®, and ProConnect™ Tax. More from Kevin Smith Comments are closed. Browse Related Articles Tax Law and News Annual inflation adjustments for TY24 and TY25 Practice Management Intuit is committed to your success Practice Management Lacerte® Tax spotlight: Karl J. Strube, CPA Practice Management ProConnect™ Tax Online spotlight: Alejandra Matias Practice Management ProConnect Tax Virtual Bootcamp: Jan. 15-16 Webinars Navigating Common IRS Red Flags: Jan. 20 Webinars Pay-by-Refund: Jan. 20 Webinars Practical Security Checklist: Jan. 14 Tax Law and News January 2025 tax and compliance deadlines Workflow tools On the Books podcast: Merry books-to-tax season