As first reported by the Wall Street Journal, the agency is working to determine if a data breach allowed scam artists to obtain the personal information used to file the returns. It is trying to figure out whether the personal information was pulled from TurboTax or another source, the Journal reported, citing a person familiar with the case.
Several states have introduced new security measures in recent days while insisting that their own systems have not been reached.
As many as 19 states may have been affected.
“We got a bigger spike than we normally get this time of year,” says Charlie Roberts, spokesman for the Utah State Tax Commission, which as of last week had identified 8,000 potentially fraudulent returns, a number he says has grown. “The common thread in that was TurboTax.”
Jeff Parish, who does marketing for a Virginia credit union, was surprised when he signed onto his TurboTax account over the weekend to prepare his tax return and found a message on the Web site congratulating him because the IRS had accepted his federal tax return.
Parish learned that someone had signed onto his account and filed a return roughly a week before, claiming a refund of roughly $5,000 – much larger than the $200 he normally receives – and directing it to be deposited on to a reloadable debit card. Parish reported the fraud to the IRS and now has to file his return on paper.
State tax authorities have held several conference calls to discuss the fraud and are sharing information with one another to make it easier to spot bogus returns, said Gale Garriott, director of the Federation of Tax Administrators. The additional security measures may delay tax refunds. Kentucky, for instance, says that after it temporarily stopped issuing refunds, state tax refunds could take up to 14 business days to be delivered, up from seven to 10 business days.
Last week, TurboTax stopped submitting state tax returns for about 24 hours while it investigated a rise in “suspicious filings” made using its software.
After looking into it, Intuit, the parent company for TurboTax, said that it did not think the fraud resulted from a breach of TurboTax’s systems and that the personal information was obtained elsewhere. Intuit spokeswoman Julie Miller said Wednesday that the company was aware of the FBI investigation but added that “to the best of our knowledge, Intuit is not the target of that investigation.”
The company also said last week that federal tax returns were not affected and it did not stop submitting those returns. But some state tax authorities reported seeing cases of fraudulent state and federal tax returns that appear to have information pulled from 2013 returns.
The Internal Revenue Service says it “added and strengthened protections in our processing systems this filing season to protect” taxpayers and prevent fraud.
However, some improvements to the IRS’s identity theft program were put off because of budget cuts, IRS commissioner John Koskinen said last week in prepared remarks to the Senate Finance Committee. “This means, among other things, that aging IT systems will not be replaced and new taxpayer protections against identity theft will be delayed,” he said.