It’s bad enough that you have to do so much work to get your taxes done and, if you’re lucky, file for a refund. But if, after you try to file your return, you get a message that says “The dependent’s Social Security number cannot be used more than once in a tax return. It also cannot appear in more than one tax return”, you can bet that your tax refund has been hijacked. Someone else will be spending the tax return money you expected to get. Sure, you can tell the IRS what happened, but don’t expect a quick solution. This is how the IRS lost almost 4 billion dollars in 2012.
So how does this work? First of all, hackers must get your personal information, including your social security number. The most popular hacking targets for such information have recently been healthcare organizations, universities, and, of course, companies. Why? Because they have multiple endpoints: Many users with different devices that can connect to their networks. If a hacker compromises one endpoint, they are into the network with access to all the protected data, including the personal information of anyone who uses the network.
Next, an individual hacker can sell this information to a nefarious organization that can bundle this with information it may have accrued through data mining, such as the names of your wife/husband and children. There are numerous cybercrime organizations that do this. These organizations will then sell the enterprising tax-refund hacker packages called, fullz. As one such organization advises, “After buying try to search by address and u can see children, wife and all people at this address. It’s great for tax return method, because u can get $$$ for ‘your’ children.” With my background teaching English as a foreign language around the world , I can see that the syntax in this statement is that of a nonnative English speaker, indicating the international expanse of this method of fraud.
The fact that your hard-earned tax dollars are being sent elsewhere is bad enough, but there is even a darker side to this fraud. As one couple found out, identity thieves are using “the Social Security numbers of dead babies to file false tax returns and claim refunds”. Although it is not clear how the criminals got this information, it probably began with the data mining of death notices followed by a hack into an organization that would register deaths. A specific category of Social Security numbers could then be isolated and used by cybercriminals.
The fact that many, high-profile, data hacks occurred towards the end of last year or, at least, before January 31st of this year, is suspicious. The first day for filing an electronic tax return is January 31st. If you know, or suspect, that your data may have been stolen in one of these hacks, the best course of action is to file your return as early as possible. Hackers know that if they are the first to file, they will be considered as the legitimate tax payers. All others will have to go through the long, costly process of proving their legitimacy.
However, it is unfair to have average tax payers shoulder this burden. The blame lies with companies and organization that had poorly secured networks which allowed employee and customer data to be compromised. If traditional protection methods are not working, and they clearly are not, then it is time for companies to be as innovative in their choice of security as they are in their development of products or policies. Companies must learn to protect their data from cybercriminals by not allowing malware from endpoints to enter the corporate network. This can only be done if company data is hardware-separated from a user’s personal data. InZero Systems, for example, produces a tablet called the WorkPlay Tablet which has two separated operating systems in one tablet, making it impossible for cybercriminals to access corporate data by circumventing software security measures.
The IRS is fighting off its back foot to maintain some control over the situation. If you think your data may be compromised, they will send you a PIN number to use when you file your return. This will work so long as cybercriminals don’t find a way to get that as well.