As tax season moves into its busiest stretch, such unpleasant surprises await hundreds of thousands — some experts say millions — of Americans as the fallout from an unprecedented surge in online tax scams hits home. People counting on a quick windfall will discover they instead are victims of an audacious gang of online criminals who systematically targeted TurboTax, the nation’s largest online filing service.
The attacks highlighted the perilous security of the nation’s overstretched systems for online tax collection. A massive spike in the use of services such as TurboTax has coincided with deep cuts to the Internal Revenue Service, which along with state taxation authorities has struggled to adapt to the rising sophistication of online criminals.
As fraud rises sharply — Intuit, which makes TurboTax, said some states have seen a 37-fold increase in suspicious returns this year — it remains unclear who is responsible for combating the problem. Each year, TurboTax files millions of returns that its internal screening algorithms have flagged as “suspicious,” internal documents show. The company said it does not immediately alert taxation authorities.
Rejecting a return and determining whether it is fraudulent are ultimately up to the IRS, Intuit added. “We do not have that authority,” the company said in a statement.
“If any one company, ours or any other company, decided to take a whole bunch of actions that would 100 percent determine that every single one of their customers was exactly who they said they were, that would not stop fraud in the industry,” said David Williams, Intuit’s chief tax officer. “It would just push the fraud around. It would squeeze the balloon.”
But critics said Intuit and other tax software providers have a responsibility to protect the integrity of the tax filing system. And several security experts said the company is only now adding security measures that have been used by e-mail and social-media companies for years.
“They can’t blame everything on the IRS. That’s ridiculous,” said Ed Mierzwinski, consumer program director at the U.S. Public Interest Research Group.
“I think that both the IRS and the states need to up their game,” he said. “The agencies have been starved. They have not gotten adequate funding to protect people’s financial lives in the way that they should. . . . They’re not keeping up with the bad guys.”
Among Intuit’s critics are two former employees who said they protested Intuit’s decision not to do more to halt seemingly fraudulent returns when they worked at the company.
One of them, Shane MacDougall, who was a principal security engineer at Intuit until last month, recently filed a whistleblower complaint with the Securities and Exchange Commission that alleges Intuit chose not to take needed security measures because executives worried those actions would cut into the company’s market share.
“One of the main reasons that I left was that Intuit was seemingly unwilling to implement even the most basic safeguards to protect their users that we were recommending,” MacDougall said. “Something like preventing multiple people from using the same Social Security number is extremely simple to do and that would stop a ton of fraud dead in its tracks, and that was one of many recommendations that we made that they would not implement.”
Intuit vehemently denied the charge, adding that the company voluntarily shares reports on suspicious returns after a three-week delay with the IRS and is discussing whether to accelerate the process. Company officials said most of those returns are eventually rejected by the IRS. “This is not a company that profits from fraud,” said Intuit spokeswoman Julie Miller. Intuit said on its Web site last week that “the amount of revenue resulting from any filings included on our suspicious filings report, but subsequently accepted by the IRS based on their own processes, is immaterial to Intuit’s business, and simply does not drive a business decision.”
But an internal strategy presentation obtained by The Washington Post showed that the number of “suspicious” customers who successfully filed a return grew from about 900,000 in 2010 to about 2.5 million in 2012. About 29 million people used TurboTax last year.
Intuit declined to comment about the document.
The spike in fraudulent online tax returns this year has drawn the attention of the FBI, which is investigating the matter, and Congress, where the Senate Finance Committee plans to hold a hearing on identity theft and tax fraud this month. Committee investigators have been interviewing tax preparation companies, state tax commissioners and the two former Intuit employees.
“With tax scams on the rise, Congress needs to take a serious look at how we can better protect taxpayers from becoming victims of fraud,” Senate Finance Committee Chairman Orrin G. Hatch (R-Utah) said in a statement.
The IRS declined to offer specifics on how it uses the information it receives from TurboTax but said it works “closely with our partners in the software industry, state tax administrators, tax professionals and the financial industry to protect against refund fraud.”
Do-it-yourself tax prep
The market for do-it-yourself tax preparation software has been booming, with Intuit largely leading the way. Founded in 1983, the company targets small businesses, consumers and accountants looking for an easier way to file taxes, pay bills and manage other aspects of their finances. The company, based in Mountain View, Calif., also includes QuickBooks and Quicken among its flagship programs.
Price has been one of Intuit’s biggest advantages. Professional tax preparation services, such as Jackson Hewitt, lost revenue during the Great Recession because cost-conscious consumers switched to doing their own taxes, according to a report from market researcher IBISWorld. Meanwhile, since the beginning of the recession, Intuit’s stock has tripled.
But the breakneck growth in tax preparation software — which can cost as little as $40, as opposed to the hundreds of dollars charged by professionals — has outpaced the industry’s ability to provide security and the government’s efforts to provide oversight, critics said.
They added that Intuit and its rivals in the self-preparation software business — H&R Block and Blucora, the maker of TaxAct — do not have a financial incentive to erect the strongest possible security protections for consumers. Such steps can make accessing accounts less convenient.
“Commercial tax preparation software vendors have a much different primary objective than tax agencies. They are driven by profit,” Julie Magee, commissioner of the Alabama Department of Revenue, wrote in a public letter this week. “The easier they make it to file a return, the more customers they can get and the more profitable they will become. There is no incentive for them to stop fraud.”
For its part, Intuit called for standards that would apply to all online tax preparation companies. “The industry as a whole should act with the IRS in setting standards that we should all follow so that fraud doesn’t get squeezed or get chased around the system, it gets chased out of the system,” said Williams, the chief tax officer.
The hackers who targeted TurboTax this year appeared to use two techniques. Some seemed to already have people’s personal information and created fake accounts to submit phony tax returns. Others figured out users’ log-ins and passwords, by trying multiple iterations, and gained wide access to their accounts.
In response, Intuit briefly shutdown its service’s ability to file state returns last month and then required customers to submit state and federal returns together. That step would require a fraudster to trick two agencies instead of one. (H&R Block and Blucora said they had that requirement in place already and have not seen a similar spike in fraudulent activity.)
Intuit also rolled out “multi-factor authentication,” which requires returning customers to enter a code sent to their phones or e-mail addresses when they attempt to log in. Security experts say this can make it much harder to guess a person’s log-in and password.
Similar security measures have long been used by other technology firms. “It’s kind of sad Facebook and Twitter and Gmail are more sophisticated than our tax preparation industry,” said Chester Wisniewski, a senior security adviser for Sophos, a security software vendor.
Since the spike in fraud in January and early February, the problem appears to have eased, perhaps because the fraudsters acted early on in the season before people typically file their taxes, tax officials said. Indeed, many Americans will not discover that they have been victimized until they attempt to file returns in the coming weeks.
For those who do, the wait for a refund can be excruciating.
After Parish reported the fraud to the IRS, he was told it could be at least six months before the agency would be able to verify his identity and issue his refund. He and his wife also had to file their returns through paper.
Parish said he is not as worried about the delay as he is about the access criminals gained to his personal information. He set up alerts with the three major credit reporting agencies so that he can get a notice if anyone tries to take out credit in his name, but he still feels “violated.”
“I’m just hoping that tax is the worst of it,” he said.