Tax cops and robbers can both be expected to apply the lessons they learned during the identity theft tax refund fraud wars to the online portal for direct deposit of coronavirus economic assistance payments.
At the same time the IRS’s efforts to administer coronavirus relief payments include a portal for nonfilers’ direct deposit information, the agency is also gearing up for a wave of virus-related fraud such as phishing emails and telephonic impersonation.
The Coronavirus Aid, Relief, and Economic Security (CARES) Act (P.L. 116-136) provides economic impact payments (EIPs) of up to $1,200 per person, with an additional $500 for dependents, mostly distributed based on 2018 or 2019 tax return information. The IRS’s nonfiler web portal augments that distribution system by allowing people to give the IRS information to make the EIPs if they didn’t file tax returns.
The new portal seems like an obvious target for the scammers who used stolen or purchased taxpayer information to obtain fraudulent tax refunds via the electronic tax return filing system.
Hackers are already manipulating direct deposit information to steal refunds when they breach tax return preparers’ computer systems.
New Front
“There will always be those who seek to abuse the system, but I suspect that individuals caught stealing much-needed relief funds will face law enforcement determined to hold them accountable and harsh consequences,” Caroline D. Ciraolo, a former head of the Justice Department’s Tax Division and now with Kostelanetz & Fink LLP, told Tax Notes.
Ciraolo said she expects the substantial time and resources the IRS devoted to the fight against identity theft refund fraud, and the filters developed in that process, will be put to good use protecting the direct deposit information portal.
Sandra R. Brown of Hochman Salkin Toscher Perez PC said, “Anytime criminals have an opportunity to get free money and to be creative, they’re going to figure out a way.”
Brown spent many years in the U.S. attorney’s office for the Central District of California and saw lots of action in the battles against identity theft refund fraudsters. She distinguished the nonfilers with no legal responsibility to file a tax return (because of insufficient income, for example) from what she calls never-filers, who disregard their filing responsibilities. The never-filers are already committing tax crimes, she said.
While conventional attempts to cheat on the EIPs will mostly involve information stolen from nonfilers, the never-filers could contribute to the problem by selling their own otherwise unused Social Security numbers for use in fraudulent EIP requests, Brown suggested. She saw that pattern when prosecuting identity theft refund fraud cases, she noted.
Brown said that in addition to conventional thefts of personal information, she saw instances in which adults would steal minors’ information for false dependent claims as well as cases in which adults who weren’t filing tax returns were selling their SSNs. “In some cases, they would just take a cut” of the stolen refund, she said, adding that the stolen or sold SSNs of the adult and minor were often combined on the false returns.
Never-filers selling their information wasn’t an unusual pattern for identity theft refund fraud and is a potential concern for the EIPs and the web portal, Brown said.
Former National Taxpayer Advocate Nina Olson said the web portal appears to use the IRS’s Free File Fillable Forms website and enter the information provided by the taxpayer into a Form 1040, which is then submitted through the agency's normal return filing processes. This means that all the filters and other tools, such as submission internet service provider trackers, the IRS has developed in the fight against identity theft refund fraud will be applied to those submissions, she said.
“At any point along the way, the IRS can try to identify fraud or questionable rebate claims,” said Olson, now executive director of the Center for Taxpayer Rights.
Those existing protections come with a notable downside — an approximately 71 percent false positive rate for the filters, according to Olson. Returns incorrectly flagged by the filters were held up for as long as 141 days, she said. “And that was when the IRS actually had people working on the phones to talk to human beings,” she added.
The false positive rate will probably be substantially higher because few of the IRS employees monitoring the filters can telework, Olson said. “My understanding is that several of the units . . . that deal with the questionable refund program” are shut down because of the coronavirus pandemic, she said.
Another issue arising from the web portal’s possible use of an actual tax return for the nonfilers would be the impact of submitting such a form under penalty of perjury if they don't realize they're doing that, Olson said.
Databases
Both Olson and Brown said the IRS’s new data from the web portal isn’t likely to present a new danger in terms of hackers attempting to breach the agency's systems. Both noted that the IRS’s existing defenses will come to bear on that front as well.
Brown said she expects to see plenty of criminal enforcement work resulting from EIP fraud attempts. One potential silver lining could come from never-filers allowing their information into IRS systems, which could enable the Criminal Investigation division's data analytics teams to find them for prosecution of their underlying tax crimes in addition to any EIP fraud, she said. The IRS could end up with even more SSNs and other information for data analysis, she said.
Olson agreed that the possibility of CI and the IRS augmenting their databases using information from the EIP web portal is a potential upside.
The IRS didn't respond to a request for comment by press time.