On Jan. 24, 2022, an anonymous fraudster filed 353 federal returns through a tax professional’s software using the firm’s electronic filing identification number (EFIN) credentials. The taxpayer identities of the 353 returns originated from seven distinct firms from different states in the eastern United States. This occurred on the first day of the tax year 2021 filing season.
Here is an example of how these hacks occur:
- The fraudsters breach tax and accounting firms throughout the prior year, stealing data from the firm’s office or home machines by remote access using the login identity of someone in the firm.
- None of the compromised firms had elected to enhance the security of their account by taking the simple step to add two-factor authentication, which would have required the fraudsters to have access not only to valid account credentials, but also a trusted device.
- Typically, the fraudster sends a phishing email to firm employees, containing a link that, when clicked, deploys malware—usually a remote access backdoor and a keylogger. Keyloggers are designed to record all the keystrokes on a computer, and specifically looks for username and password combinations. This information is sent back to remote fraudsters by piggybacking on normal internet traffic from the computer, disguising its activity.
- Once the fraudsters have stolen the client files, the fraudster reworks the returns, adding in income, dependents, or other refundable credits to enlarge the refunds to $5,000, and even $10,000 or more per taxpayer. The fraudster also changes bank direct deposit information to a bank account he controls.
- When the fraudsters have accumulated a batch of fraudulent returns ready to be filed, they will typically use the credentials and software of one of the previously compromised firms to file the returns. To the IRS and state agencies, this appears as if the returns were filed by that firm, regardless of which firm the returns actually belonged to the prior tax year. The “filing” firm does not even know it was hacked, and the firm has no idea the fraudster filed returns using its credentials from a remote location—many times outside of the United States.
In this large data breach, none of the seven firms knew they had been breached until they were notified that returns in their clients’ names had already been accepted by the IRS with large refunds attempting to be routed to the hacker-controlled bank accounts.
This scheme resulted in 29 stolen identity refund fraud returns being filed for one firm, 43 for another, and 82 returns from yet another firm, leading to significant inconvenience for the firms’ clients, harm to the firms’ reputations, substantial additional work filing corrected returns on paper, and lost revenue to the firms.
None of the seven firms had elected to turn on the additional layer of protection offered by two-factor authentication. Using two-factor authentication enhances the security of your account by requiring a person trying to access the account to also have access to a trusted device.
Here is how to set up two-factor authentication for your firm’s logins: