Will tax fraud make every American a cybersecurity believer?
As long as there has been an internet, there have been internet scams and cybersecurity incidents. As long as there has been a tax system, there has been tax fraud of one sort or another. In a way, it’s surprising that it took so long for these two trends to converge. But [at last!] they have. The latest estimates are that the US Treasury will lose $21 billion this year due to fraudulent claims – up from just $6.5 billion two years ago.
The scam is elegantly simple. Most people overpay into the tax system all year, padding their account until taxes come due so they’ll get a refund rather than having to pay later on. Filing a tax return and getting that refund requires surprisingly little information – a name, a social security number, and a date of birth. Most of this information is readily obtainable from the dark reaches of the internet, or can be socially engineered with minimal effort.
There’s also a timing element. The IRS has the curious habit of paying out refunds before it can even confirm the information it’s paying against. You can file your taxes as early as New Year’s Day, but the W-2s don’t arrive from employers until mid-March and aren’t matched against tax filings for many months after. So by the time employer records are received for verification, half of all refunds have already been paid out by the IRS.
Growing numbers of Americans file their taxes only to discover that someone has already claimed their refund – an embarrassment for the IRS and a costly breach for taxpayers as well. This is a form of cyber intrusion which hits very close to home, and one which strikes at our trust in government as well.
Enter big data. Starting in 2015, the IRS teamed up with the states to amp up the sophistication of its cybersecurity regime. It started using other data elements – addresses, phone numbers, IP addresses – to match tax returns against what the IRS knows about its customers from previous interactions. Data are now matched against state records as well, creating another method to authenticate people against their public identities. Where taxpayers set up PIN numbers or passwords to protect their filings, the IRS instituted more robust standards aimed at curbing the use of brute force attacks.
There’s still a long way to go. The IRS and the tax preparation industry have only begun to work collaboratively to authenticate filings prepared by professionals. The IRS is still pondering the standards it will use to secure its networks. And only thirty-four states are on board with information sharing, leaving sixteen with less protection.
In comparison to other industrialized countries, the IRS is playing this game with one hand tied behind its back. The US does not issue a secure form of authentication (like, say, a biometrically enabled national ID card), leaving it to use secondary sources to confirm identity. The lack of attention to cybersecurity at the national level is also a troubling reminder that the government is playing catch up rather than getting out ahead of the problem.
In the absence of strong protection from the government, individual taxpayers are going to have to pick up the cybersecurity slack. Cyber hygiene is more critical now than it ever has been. Credit monitoring is always recommended, but this only goes toward the back-end cleanup of an incident that has already occurred. Prevention is the best way to protect against the consequences of a data breach – whether it happens at the IRS or any other large institution. Encryption, minimizing the distribution of personal data, and a healthy skepticism of anyone who asks for sensitive information is the strongest defense.
They say that the only things that are inevitable are death and taxes. Cyberattacks don’t have to be added to that list.