Practice Management

Real tax fraud stories: It can happen to your firm

Written by Kevin Smith
Modified Feb 15, 2022
3 min read

On Jan. 24, 2022, an anonymous fraudster filed 353 federal returns through a tax professional’s software using the firm’s electronic filing identification number (EFIN) credentials. The taxpayer identities of the 353 returns originated from seven distinct firms from different states in the eastern United States. This occurred on the first day of the tax year 2021 filing season.

Here is an example of how these hacks occur:

The fraudsters breach tax and accounting firms throughout the prior year, stealing data from the firm’s office or home machines by remote access using the login identity of someone in the firm.
None of the compromised firms had elected to enhance the security of their account by taking the simple step to add two-factor authentication, which would have required the fraudsters to have access not only to valid account credentials, but also a trusted device.
Typically, the fraudster sends a phishing email to firm employees, containing a link that, when clicked, deploys malware—usually a remote access backdoor and a keylogger. Keyloggers are designed to record all the keystrokes on a computer, and specifically looks for username and password combinations. This information is sent back to remote fraudsters by piggybacking on normal internet traffic from the computer, disguising its activity.
Once the fraudsters have stolen the client files, the fraudster reworks the returns, adding in income, dependents, or other refundable credits to enlarge the refunds to $5,000, and even $10,000 or more per taxpayer. The fraudster also changes bank direct deposit information to a bank account he controls.
When the fraudsters have accumulated a batch of fraudulent returns ready to be filed, they will typically use the credentials and software of one of the previously compromised firms to file the returns. To the IRS and state agencies, this appears as if the returns were filed by that firm, regardless of which firm the returns actually belonged to the prior tax year. The “filing” firm does not even know it was hacked, and the firm has no idea the fraudster filed returns using its credentials from a remote location—many times outside of the United States.

In this large data breach, none of the seven firms knew they had been breached until they were notified that returns in their clients’ names had already been accepted by the IRS with large refunds attempting to be routed to the hacker-controlled bank accounts.

This scheme resulted in 29 stolen identity refund fraud returns being filed for one firm, 43 for another, and 82 returns from yet another firm, leading to significant inconvenience for the firms’ clients, harm to the firms’ reputations, substantial additional work filing corrected returns on paper, and lost revenue to the firms.

None of the seven firms had elected to turn on the additional layer of protection offered by two-factor authentication. Using two-factor authentication enhances the security of your account by requiring a person trying to access the account to also have access to a trusted device.

Here is how to set up two-factor authentication for your firm’s logins:

Intuit® Lacerte® Tax
Intuit ProSeries® Tax
Intuit ProConnect™ Tax

Kevin Smith is a senior fraud prevent specialist with Intuit®, and has been with the company for 23 years. After holding several positions, he moved into fraud prevention in 2015. Kevin has seen cybersecurity evolve from the institution of the PTIN program in the late ‘90s to today’s advanced threat environment, with international crime syndicates working 24/7 to steal a taxpayer’s personally identifiable information. Kevin is a member of the Tax Professionals Subgroup where he represents Intuit at the IRS Security Summit, and leads the EFIN Compliance and Licensing Fraud team for Lacerte®, ProSeries®, and ProConnect™ Tax. More from Kevin Smith

Comments are closed.