Government Penny Pinching Has Left IRS Vulnerable To Hacking

Attacks are on the rise, defense is down, and there's no end in sight

(Illustration: Diana Quach)
Apr 15, 2016 at 2:57 PM ET

In March, Katerina, who declined to use her last name, a college-bound 18-year-old in Texas, logged into TurboTax to do her taxes for the first time. But there was a problem.

“My return kept getting rejected saying that I needed an AGI code from the previous year’s tax return, which I did not have because I haven’t filed taxes before,” she told Vocativ. The IRS wanted that Adjusted Gross Income code because someone with her name and Social Security Number had already filed a tax return using this information for the previous two years. The ensuing whirlwind of police reports, affidavits, and bad credit left her unable to get federal student aid for the fall semester. “I’m very safe with that kind of information,” she said, referring to her Social Security Number. “It’s just so strange that it happened.”

Katerina is obviously not alone. There has been tax fraud almost as long as there’s been taxes. But the practice of criminals using a stolen Social Security Number to file a fake return, then pocketing the profit, is skyrocketing, in part because of how easy it is. “Why is it so prevalent? Because it’s working!” Eva Velasquez, President of Identity Theft Resource Center, a nonprofit devoted to helping identity theft victims, told Vocativ. If a criminal has a victim’s SSN and a little more personal information and wants to file a false claim that they had, for example, worked at Wal-Mart and are owed a return, they “only need to know what a Wal-Mart W2 looks like,” she said.

In the past three years, complaints of identity theft have skyrocketed. Phishing attacks, in which a hacker sends an email purportedly from a familiar email address and asks for sensitive information, is seeing a massive resurgence. In March, the IRS warned of a particularly popular variant, in which a phishing email will urgently request employees’ W2 forms. And they work: While there is no publicly available, comprehensive government list of data breaches, a combination of local media stories, data from independent researchers and information revealed due to certain states’ strong disclosure laws shows that more than 60 companies were affected in February and March alone.

While these attacks are largely possible due to human error at private companies, the IRS is visibly struggling, too. Repeated Congressional budget cuts has led to the agency slashing staff. In an open letter to Congress in November, seven former IRS commissioners estimated the cuts led to 15,000 lost employees over a period of five years, writing that “none of us has ever witnessed anything like what has happened to the IRS appropriations over the last five years and the impact these appropriations reductions are having on our tax system.”

It shows. One IRS initiative called Get Transcript, launched in 2014, proved an unmitigated failure. In theory, Get Transcript gave taxpayers greater access to their own financial information, and allowed them to request their previous tax returns be mailed to them. But weak security also meant that criminals could easily access that information. The IRS initially suspected that 114,000 returns were exposed and that criminals received less than $50 million in fraudulent returns. However, by the IRS’s latest count, Get Transcript exposed more than 700,000 households—or about one in every 460 Americans. It didn’t respond to requests for an updated figure of fraudulent returns filed.

In a Senate hearing Tuesday, IRS Commissioner John Koskinen said that hackers hit the agency with potential attacks “millions” of times each day. And there isn’t clear leadership around how to address the threat. In a little-publicized move, Director of Cybersecurity Operations Ken Stephens left the IRS in March, mere weeks before the national tax deadline. “He was one of several streamlined critical pay employees in the information technology area the IRS has recently lost,” an IRS spokesperson told Vocativ, referring to the temporary Streamlined Critical Pay program under which the IRS was given authority to hire key employees at higher than typical salaries. The program expired in 2013.

In the hearing, Koskinen chalked the agency’s attrition up to the simple difficulty of hiring skilled experts for government jobs, which lack competitive compensation and are often riddled with bureaucracy. “[W]hen you tell somebody, ‘We’d love to hire you, we’ve got a great position for you, now if you’ll sit around for three to six months, we’ll get back to you and in the meantime, fill out the applications and apply for the job … most of those people aren’t around when we come back.’”

While phishing and malware schemes targeting employee tax information are on the rise, convictions for tax return-related identity theft are actually decreasing. But just because convictions in IRS-prosecuted cases are falling doesn’t mean that criminals aren’t getting caught. Though the IRS is hampered the fact that it does not share information with other government agencies (it’s largely legally prohibited from doing so), it still has some 120 indicators that flag a return as suspicious and put it on hold, for example a number of returns being filed by the same IP address. Such a flag can potentially spur an investigation.

The Department of Justice announces tax fraud charges or convictions, most often related to SSN impersonations, almost daily. The criminals run the gamut from senior citizens and Subway managers, to even IRS employees, though hard numbers of those who don’t get caught are much harder to come by. “We have a saying in fraud: You only catch the dumb ones,” Velasquez said.

Because of this, it’s difficult fathom the overall scope of such schemes or the significant damage done to the victims of fraud. And there are very few ways potential victims can protect themselves. It’s possible for individuals to file early each year to get ahead of crooks, since once a tax return has been filed for a specific SSN, the IRS doesn’t permit another to be filed. And for a while, the agency allowed Americans to protect their returns with a six-digit secondary identifying number called an IP PIN. In theory, this two-factor authentication would prevent fraudulent filings, but the IRS suspended it indefinitely in March, after scammers realized they could use the website to easily retrieve an IP PIN of a victim who had already been hacked. The IRS can, at least, let you view what it looked like when a scammer filed in your name.

“There really is very little that an individual can do,” Velasquez said. A number of groups, including government agencies like the Treasury Inspector General for Tax Administration (TIGTA) and U.S. Government Accountability Office examine holes in IRS security and try to recommend fixes, but those are often met with a frustrating lack of results.

“The risk minimization techniques that individuals can use currently essentially do not exist,” Velasquez said. “But the issue is there really is very little that an individual can do to stop future occurrences.”

Katerina, the high school senior compromised by an unknown thief, knows it’ll be an ongoing problem. She has an attorney, who tells her it’s not worth changing her SSN right now, but with this year’s taxes filed, she has to focus getting her engineering degree.

“All in all, it’s a sucky way to experience the introduction to adulthood,” she says.