Fraudsters profit as more file their taxes online

When Jeff Parish signed onto his TurboTax account recently, he was surprised to see that the popular online filing service had already calculated a federal refund - to the tune of more than $5,000. But there was a problem. The 61-year-old marketing executive from Fairfax, Virginia, was just starting the process of filing his taxes, not finishing it. Somebody had broken into his account, completed a fraudulent return and diverted Parish's refund to a prepaid debit card.

As tax season moves into its busiest stretch, such unpleasant surprises await hundreds of thousands - some experts say millions - of Americans as the fallout from an unprecedented surge in online tax scams hits home. People counting on a quick windfall will discover they instead are victims of an audacious gang of online criminals who systematically targeted TurboTax, the nation's largest online filing service.

The attacks highlighted the perilous security of the nation's overstretched systems for online tax collection. A massive spike in the use of services such as TurboTax has coincided with deep cuts to the Internal Revenue Service, which along with state taxation authorities has struggled to adapt to the rising sophistication of online criminals.

As fraud rises sharply - Intuit, which makes TurboTax, said some states saw a 37-fold increase in suspicious returns earlier this year - it remains unclear who is responsible for combating the problem. TurboTax files millions of returns each year that its internal screening algorithms have flagged as "suspicious," internal documents show, and the company said it does not immediately alert taxation authorities.

Rejecting a return and determining if it is fraudulent or not, is ultimately up to the IRS, Intuit added. "We do not have that authority," the company said in a statement.

"If any one company, ours or any other company, decided to take a whole bunch of actions that would 100 percent determine that every single one of their customers was exactly who they said they were, that would not stop fraud in the industry," said David Williams, Intuit's chief tax officer. "It would just push the fraud around, it would squeeze the balloon and push it anywhere."

But critics said Intuit and other tax software providers have a responsibility to protect the integrity of the tax filing system. Several cybersecurity analysts added that the company is only now adding security measures that have been used by email and social media companies for years.

"They can't blame everything on the IRS. That's ridiculous," said Ed Mierzwinski, consumer program director at U.S. PIRG.

"I think that both the IRS and the states need to up their game," he said. "The agencies have been starved. They have not gotten adequate funding to protect people's financial lives in the way that they should ... They're not keeping up with the bad guys."

Among Intuit's critics are two former employees, who said they protested Intuit's decision not to halt fraudulent returns when they worked at the company.

One of them, Shane MacDougall, who was a principal security engineer at Intuit until last month, recently filed a whistle-blower complaint with the Securities Exchange Commission that alleges Intuit chose not to take needed security measures because executives worried those actions would cut into the company's market share.

"One of the main reasons that I left was that Intuit was seemingly unwilling to implement even the most basic safeguards to protect their users that we were recommending," said MacDougall. "Something like preventing multiple people from using the same Social Security number is extremely simple to do and that would stop a ton of fraud dead in its tracks and that was one of many recommendations that we made that they would not implement."

Intuit vehemently denied the charge, adding that the company voluntarily shares reports about suspicious returns on a three-week delay with the IRS and is discussing whether to accelerate the process. "This is not a company that profits from fraud," said Intuit spokeswoman Julie Miller. "And if there is any that gets through it would certainly be immaterial for the business."

The fraud problem does not appear to be a small one at Intuit. An internal strategy presentation obtained by The Washington Post showed that the number of suspicious accounts identified by Intuit grew from about 900,000 in 2010 to about 2.5 million in 2012. About 29 million people used TurboTax last year.

Intuit declined to comment on the document.

The spike in fraudulent online tax returns this year has drawn the attention of the FBI, which is investigating the matter, and Congress, where the Senate Finance Committee plans to hold a hearing on identity theft and tax fraud later this month. Committee investigators have been interviewing tax preparation companies, state tax commissioners and the two former employees.

"With tax scams on the rise, Congress needs to take a serious look at how we can better protect taxpayers from becoming victims of fraud," Senate Finance Committee Chairman Orrin Hatch, R-Utah, said in a statement.

The IRS declined to offer specifics on how it uses the information it receives from TurboTax but said it works "closely with our partners in the software industry, state tax administrators, tax professionals and the financial industry to protect against refund fraud."

- - -

The market for do-it-yourself tax preparation software has been booming with Intuit largely leading the way. Founded in 1983, the company targets small businesses, consumers and accountants looking for an easier way to file taxes, pay bills and manage other aspects of their finances. The company, headquartered in Mountain View, California, also includes QuickBooks and Quicken as part of its flagship programs.

Price has been one of Intuit's biggest advantages. More expensive professional tax preparation services, such as Jackson Hewitt, lost revenue during the recession because cost-conscious consumers switched to doing their own taxes, according to a report from market researcher IBISWorld. Meanwhile, since the beginning of the Great Recession, Intuit's stock has more than tripled.

But the breakneck growth in tax preparation software - which can cost around $40 as opposed to the hundreds of dollars charged by professionals - has outpaced the industry's ability to provide security and the government's efforts to provide oversight, critics said.

They add that Intuit and its rivals in the self-preparation software business - H&R Block and Blucora, the maker of TaxAct - do not have a financial incentive to erect the strongest possible security protections for consumers. Such steps can make accessing accounts less convenient.

"Commercial tax preparation software vendors have a much different primary objective than tax agencies. They are driven by profit," Julie Magee, commissioner of the Alabama Department of Revenue wrote in an op-ed this week. "The easier they make it to file a return, the more customers they can get and the more profitable they will become. There is no incentive for them to stop fraud."

For its part, Intuit called for standards that would apply to all of the online tax preparation companies.

"The industry as a whole should act with the IRS in setting standards that we should all follow so that fraud doesn't get squeezed or get chased around the system it gets chased out of the system," Williams, the chief tax officer, said.

- - -

The hackers who targeted TurboTax this year appeared to use two techniques. Some seemed to already have people's personal information and created fake accounts to submit a phony tax return. Others figured out the logins and passwords for people, by trying multiple iterations, and gained wide access to their accounts.

In response, Intuit briefly shutdown its service's ability to file state returns last month and then required customers to submit state and federal returns together. That step would require a fraudster to trick two agencies instead of one. (H&R Block and Blucora said they had that requirement in place already and have not seen a similar spike in fraudulent activity.)

Intuit also rolled out "multi-factor authentication" - which requires returning customers to enter a code sent to their phones or email addresses when they attempt to log in. Security experts say this can make it much harder to guess a person's login and password.

Similar security measure have long been used by other technology firms. "It's kind of sad Facebook and Twitter and Gmail are more sophisticated than our tax preparation industry," added Chester Wisniewski, a senior security adviser for Sophos, a security software vendor.

Since the spike in fraud in January and early February, the problem appears to have eased, perhaps because the fraudsters acted early on in the season before people typically file their taxes, tax officials said. Indeed, many Americans will not discover that they have been victimized until they attempt to file returns in the coming weeks.

For those who do, the wait for a refund can be excruciating.

After Parish reported the fraud to the IRS, he was told it could be at least six months before the agency would be able to verify his identity and issue his refund. He and his wife also had to file their returns through paper.

Parish said he isn't as worried about the delay as he is about the access criminals gained to his personal information. He set up alerts with the three major credit reporting agencies so that he can get a notice if anyone tries to take out credit in his name, but he still feels "violated."

"I'm just hoping that tax is the worst of it," he said.