The current tax season has seen a variety of hacking and phishing attempts against employers and individuals alike. In recent years, the tax administration space, already aware of the threat, has boosted collaboration and communication.
For some people and companies, the shadow of this year’s tax season will extend long beyond the April 18 deadline.
Reports of widespread tax-return fraud involving companies as well as individual consumers have been raising major issues for the public. The attacks have hit the employees of firms such as Weight Watchers and Seagate Technology.
The schemes work in a variety of ways, but three methods have predominated:
Phishing attempts: According to The Wall Street Journal, an attacker will spoof the identity of a high-ranking employee at an organization and request that tax records, such as W2 forms, be sent to them. The attacker, in many cases, will reach either the human resources or payroll department in asking for this information. In this scenario, taxpayers often don’t learn that their information has been stolen until their tax forms have been rejected.
Remote control: An more recent scheme, highlighted by the Internal Revenue Service last week, involves a hacker taking remote control of a tax preparer’s computer and then changing where a tax refund goes. “Although the IRS knows of a handful of cases to date, this scam has potential to impact the filing of fraudulent returns in advance of the April tax deadline and is yet another example of tax professionals being targeted by identity theft criminals,” the federal agency said in a news release last week.
Data breaches at the IRS itself: In February 2016, the IRS faced a security breach of its own, finding that hackers were working to infiltrate the system in an attempt to steal e-filing PIN codes, which, USA Today reported, allowed attackers to access 700,000 separate accounts. Last week, security expert Bruce Schneier suggested that the IRS’s security problems may go deeper than reported. “I think that the IRS has been hacked even more than is publicly reported, either because the government is keeping the attacks secret or because it doesn’t even realize it’s been attacked,” Schneier wrote in a CNN op-ed.
How Tax Administrators Are Responding
The Federation of Tax Administrators, a trade group that represents state-level tax officials, has been battling these issues for years, and much of the work has involved preparation. FTA has been working closely with a number of industry groups, agencies, and companies, educating them on the dangers of tax fraud, and last year met with a number of stakeholders to discuss ways to more quickly identify fraud issues when they arise.
In 2015, the group held a security summit with these organizations, at the behest of IRS Commissioner John Koskinen, with the goal of finding ways to more quickly identify fraud issues. The stakeholders, according to the Pew Charitable Trusts, also discussed steps such as improving passwords and user-authentication procedures.
In a March interview with the National Association of State Chief Information Officers, FTA Deputy Director Verenda Smith noted that this approach has improved collaboration:
We needed a new way to think about data. Starting more than a year ago, we brought together three sectors in a partnership: people who design software for preparation and filing of tax returns, states, and the IRS—and we’ve been coming together in a new way. Instead of each of us working independently on fraud identification, we’re working on fraud issues together. Much of that comes down to the use of the data and understanding what’s in each other’s data, what’s useful and what’s not.
In comments to The Wall Street Journal, Smith emphasized that the group was aware of a number of recent security problems at companies, at least 50 so far, but said that some companies have yet to speak up.
“We are definitely talking about many, many thousands of employees and I would have to think there are some companies that aren’t confessing to it,” Smith said.