Dauda Financial and Consulting Services

09/20/2025

04/15/2016

****Hackers Using Prior Data Breaches to Pe*****te IRS Tax Info*******

**** (APRIL 14, 2016) ******

Internal Revenue Service Commissioner John Koskinen defended the IRS’s cybersecurity efforts during a contentious congressional hearing Thursday on the IRS’s ability to protect taxpayer systems.

“Securing our systems and taxpayer data continues to be a top priority for the IRS,” Koskinen said during a hearing before the House Science Committee’s Subcommittee on Research and Technology. “Even with our constrained resources as a result of repeatedly decreased funding over the past few years, we continue to devote significant time and attention to this challenge, which is twofold. First, the IRS works continuously to protect our main computer systems from cyber incidents, intrusions and attacks, but our primary focus is to prevent criminals from accessing taxpayer information stored in our databases. These core tax processing systems remain secure, through a combination of cyber defenses, which currently withstand more than one million attempts to maliciously access our systems each day. Second, the IRS is waging an ongoing battle to protect taxpayers and their information as we confront the growing problem of stolen identity refund fraud.”

Committee chairman Lamar Smith, R-Texas, pointed to recent reports from the Treasury Inspector General for Tax Administration and the Government Accountability Office that found problems with the IRS’s identity authentication methods and cybersecurity. “The U.S. Government Accountability Office has identified a number of ongoing cybersecurity system gaps and IRS failures to fully implement certain security controls,” he said. “The report found that of 28 prior GAO cybersecurity recommendations to the IRS, nine have not been effectively implemented. These gaps could open the door for cyber criminals to steal confidential taxpayer data. The past year’s IRS breaches are especially troubling. Taxpayer data was fraudulently accessed, not through a forcible compromise of the computer systems, but by hackers who correctly answered security questions that should have only been answerable by the actual individual.”

Smith acknowledged the hackers probably had originally accessed the data they used to compromise the IRS’s system from prior high-profile hacks, such as data breaches last year at the federal government’s Office of Personnel Management and at Anthem Health Insurance. Koskinen pointed out that the IRS has never experienced a data breach of its database in its history, although he acknowledged information already in the hands of cybercriminals was used to access the IRS’s online Get Transcript and Identity Protection PIN systems.

“The reality is criminals are becoming increasingly sophisticated and are gathering vast amounts of personal information as the result of data breaches at sources outside the IRS,” said Koskinen. “We must balance the strongest possible authentication processes with the ability of taxpayers to legitimately access their data and use IRS services online. It is important to note that cybercrime (theft by unauthorized access) and privacy breaches are increasing across the country in all areas of government and industry. Cybercriminals and their methods continue to grow in sophistication, frequency, brazenness, volume and impact. The IRS will continue to be challenged in our ability to maintain currency with latest technologies, processes and counter-measures.”

Rep. Barbara Comstock, R-Va., who chairs the Research and Technology Subcommittee, said she too had suffered from the breach at the Office of Personnel Management. “While I appreciate the IRS’ efforts to accommodate most people’s desire to access their tax information electronically, it cannot do so at the expense of their security,” she said. “As someone whose information was compromised in last year’s OPM hack, I assure you, more security is better than less. This would also help many of my federal employee constituents who were impacted by the OPM breach, as well as by last year’s Anthem cyber-attack. As one of the largest health insurance providers in the Commonwealth, the Anthem hack hit particularly close to home for us too.”

J. Russell George, head of the Treasury Inspector General for Tax Administration, confirmed the seriousness of the cybersecurity threat facing the federal government and the IRS in particular. “Cybersecurity threats against the federal government continue to grow,” he said. “Since 2011, my office has identified the security of taxpayer data as the most serious management and performance challenge confronting the IRS. According to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, federal agencies reported 77,183 cyberattacks in FY 2015, an increase of more than 10 percent from FY 2014.”

George acknowledged that hackers are using the information they get from other data breaches to access the IRS’s systems. “The increasing number of data breaches in the private and public sectors means more personal information than ever before is available to unscrupulous individuals,” he said. “Much of these data are detailed enough to enable circumvention of most authentication processes. Therefore, it is critical that the methods the IRS uses to authenticate individuals’ identities provide a high level of confidence that tax information and services are provided only to individuals who are entitled to receive them. The risk of unauthorized access to tax accounts will continue to grow as the IRS focuses its efforts on delivering online tools to taxpayers. The IRS’s goal is to eventually provide taxpayers with dynamic online account access that includes viewing their recent payments, making minor changes and adjustments to their accounts, and corresponding digitally with the IRS.”

Gregory C. Wilshusen, director of information security issues at the Government Accountability Office, presented a GAO report on the IRS’s continuing challenges with cybersecurity. The report noted that in March, the GAO reported that the IRS had instituted numerous controls over key financial and tax processing systems, but it had not always effectively implemented safeguards to properly restrict access to the systems and information (see IRS Faulted for Controls over Financial and Taxpayer Data).

In particular, while the IRS had improved some of its access controls, weaknesses remain with identifying and authenticating users, authorizing users’ level of rights and privileges, encrypting sensitive data, auditing and monitoring network activity, and physically securing its computing resources. The weaknesses were due in part to the IRS’s inconsistent implementation of its agency-wide security program, including not fully implementing a variety of GAO recommendations.

04/14/2016

***It's Tax Week. You've Been Hacked. This Software Is Fighting It
(APRIL 14, 2016)

(Bloomberg) With rampant fraud draining as much as $6 billion a year away from U.S. taxpayers, technology vendors are competing for billions themselves, selling software that helps governments identify the cheats.

“The market has gone from a handful of clients to an explosion,’’ said Avivah Litan, an analyst at researcher Gartner, who estimates the market for software aimed at fighting identity theft—including tax fraud—is worth $2 billion a year. “The government agencies got caught off guard, and they are very slow to react.”

According to the Federal Trade Commission, tax fraud was the No. 1 reported form of identity theft in 2015. The Internal Revenue Service says it stopped 1.4 million confirmed identity-theft returns last year, avoiding $8.7 billion in fraudulent payouts. Ahead of this tax season—the filing deadline is April 18 this year—the IRS partnered with states and tax preparers to set up new password standards for tax filing and to share information about identity theft. At least a dozen states have hired outside companies to help fight the problem.

Companies that make tax-filing software and third-party vendors have had some success introducing tools that verify taxpayers’ identities via checks on everything from marital status to prison records. These companies are usually paid monthly fees or get a cut of the savings from payouts on fake returns.

Relx Plc’s LexisNexis Risk Solutions started offering refund-fraud software in 2012. Now used in five states, the product cross-references 20,000 public sources like voter rolls and police records covering hundreds of millions of individuals.

Tax filers who are flagged as questionable—about 10 percent of returns—must take a quiz online, by phone or in person to quickly answer questions about personal details. The company says about 60 percent of those asked to take the test decline to do so—typically indicating the returns were fraudulent. Of those who take the quiz, half fail.

“This is a crime with a high rate of return and little risk of being caught,” said Haywood Talcove, who heads the government division at LexisNexis Risk Solutions, which estimates tax-refund fraud totals $20 billion a year. “If you’re living in the U.S., the probability that your info has already been stolen is high. The question is, will it be used.”

Verafin Inc. has developed a program that can be used by banks, which often see the refunds roll in as electronic deposits. When they see hundreds of refund checks going into one account (as has happened), they can investigate, says Mauriceo Castanheiro, Verafin’s director of analytics.

“We were really surprised at the number of cases our customers were identifying,” Castanheiro said.

There are signs the programs are working. Indiana said less than 1 percent of returns last tax season were fraudulent, down from 12 percent in 2014, an improvement it attributes to its work with LexisNexis and Revenue Solutions Inc., which set up software to further check identities of tax filers with public sources. Indiana says it has stopped more than $100 million being paid out to criminals, and has paid LexisNexis $5 million for its help.

“I don’t think that our tax-filing programs had been that insecure, but you don’t foresee the ways in which people will manipulate the system,’’ says Amanda Stanley, a spokeswoman for the Indiana Department of Revenue.

Makers of tax-filing software are also incorporating beefed up security features into their offerings. Intuit Inc., maker of TurboTax, unveiled new security options in November, including fingerprint authentication on Apple devices and multi-step account sign-ins using one-time codes. Since many customers have used the tax software for years, the company can also check patterns of use such as how early the person files or the pace at which she works.

Still, online tax software is a juicy target. Rival TaxAct identified suspicious activity late last year, and says fewer than 500 returns were accessed. It has added security measures since then.

“At this point in the season,” TaxAct said in a statement, “we are not currently seeing unusual levels of fraudulent activity.”

04/11/2016

****Senate Bill Would Toughen Penalties for Tax ID Theft**
WASHINGTON, D.C. (APRIL 8, 2016)

Senate Judiciary Committee Chairman Chuck Grassley, R-Iowa, has introduced legislation to combat tax refund theft by identity thieves.

The Tax Return Identity Theft Protection Act of 2016 would strengthen the existing penalties for identity thieves, establish tougher sentences for crimes against vulnerable and frequently targeted groups, and clarify the state-of-mind proof requirement that has prevented some identity thieves from being held accountable.

Grassley’s bill seeks to deter tax return identity theft and other related fraud by increasing the maximum punishment for such crimes to a term of 20 years in prison. In addition to tax return identity theft, these offenses include stealing a victim’s identity to conspire to defraud the government, file a false claim against the government, or steal public money, property or records. The bill would also stiffen the penalties for crimes against vulnerable groups that government watchdogs have identified as frequently targeted by identity thieves. These groups include the aging and low-income populations, along with members of the military.


With regard to the state-of-mind proof requirement, the bill would clarify that prosecutors would only need to prove that an individual charged with identity theft under certain statutes “knowingly” used a means of identification that was not legitimately issued to that individual, regardless of whether the individual knew the identification belonged to another person.

“Tax refunds can be a silver lining for many Americans during tax season, but they’ve also attracted the attention of fraudsters and identity thieves,” Grassley said in a statement Thursday. “These crooks use stolen personal tax information to swoop in and seize the tax refunds of unwitting Americans early in the season before the victims ever file. The crime is costing Americans billions of dollars annually, and can take many months to correct. My bill discourages this unscrupulous behavior by increasing penalties, especially when the victim is particularly vulnerable.”

Identity thieves successfully stole $5.75 billion in fraudulent tax refunds in the 2013 tax year, according to Internal Revenue Service estimates, with another $24 billion in theft that was prevented. Taxpayers whose returns were compromised wait 278 days on average for the account to be corrected and their return reissued. Identity theft victims spend on average six months and $1,300 to correct their records.

Comments (3)
What's missing is that the IRS already has sufficient funding and STILL won't even cooperate with the victims so that they can work to correct the damage done. This is an area that really requires penalties for NOT pursuing and prosecuting the criminals. There needs to be a requirement that the IRS provide the victim with notice of possible identity theft AND all of the documentation to identify the perpetrator AND that the pursuit of legal action against the perpetrator be mandated. Currently, a victim can't even get the information about who perpetrated the act, which means that the victim has NO defense and no way to pursue legal action and legal remedy.
Because the IRS has proven itself to be more concerned with the privacy of the perpetrator than the remedies for the victim, it makes more sense for this to be placed under the Justice department or law enforcement.
Posted by SullivanAcctg | Monday, April 11 2016 at 11:40AM ET
This is a great idea but ONLY if it comes with funding for the IRS to implement it without cutting other services. The continually decreasing budget - even with having to implement the Affordable Care Act and foreign account reporting and massive identity theft issues and more - is making new suggestions seem like "So what?" This kind of action is more "photogenic" than increasing IRS funding but that is really what's needed.
Posted by eileen.mc | Monday, April 11 2016 at 10:48AM ET
Sen. Grassley has an opinion about the Constitution's wording of Supreme Court justice selection that differs from my opinion, but here he is spot on. Congratulations, Senator. If anything, make the sentences stricter. Also give the IRS the $1B it needs to start at least 5 security features: (1) unique IRS user names (not hospital assigned names), (2) unique IRS account numbers (not SSA numbers, although those could be linked to any new IRS numbers), (3) an ID PIN for everyone beyond FL, GA, and DC,(4) two-way verification using text messages to cell phones, and (5) Don't Ask Don't Tell protection for the first 4 security features so that banks and credit agencies can't collect these ID codes and then get hacked. Again, well done Senator Grassley.
Posted by DavidWarlick | Friday, April 08 2016 at 6:54PM ET

04/07/2016

Imagine getting a check for $6,000 only to find out a month later you have to give $5,000 of it back.

04/06/2016

***IRS Warns of New Scam Variations*******
WASHINGTON, D.C. (MARCH 31, 2016)
BY MICHAEL COHN
Scammers are trying new tactics to convince taxpayers to hand over their personal information, the Internal Revenue Service warned.

In a new email scam targeting taxpayers, people are receiving emails that appear to come from the Taxpayer Advocacy Panel, a volunteer board that advises the IRS on issues affecting taxpayers. They try to trick taxpayers into providing personal and financial information. The IRS said taxpayers should not respond or click the links in these emails. If they receive an email that appears to be from TAP regarding their personal tax information, they should forward it to [email protected].

The IRS has seen an approximate 400 percent surge in phishing and malware incidents so far in the 2016 tax season. The emails are designed to trick taxpayers into thinking these are official communications from the IRS or others in the tax industry, including tax software companies. The phishing schemes can ask taxpayers about a wide range of topics. Emails can seek information related to refunds, filing status, confirming personal information, ordering transcripts and verifying PIN information.

The IRS said it is also receiving new reports of scammers calling under the guise of verifying tax return information over the phone (see IRS Warns of New Phone Scam Tactic). The latest variation on this scam uses the current tax-filing season as a hook. Scam artists call saying they are from the IRS and have received the taxpayer’s tax return, and they just need to verify a few details to process it. The scam tries to get taxpayers to give up their personal information such as a Social Security number or personal financial information, such as bank numbers or credit cards.

Aggressive and threatening phone calls by criminals impersonating IRS agents remain an ongoing threat. The IRS said it has seen a surge of these phone scams in recent years as scam artists threaten taxpayers with police arrest, deportation, license revocation and more. The con artists often demand payment of back taxes on a prepaid debit card or by immediate wire transfer. Taxpayers should be alert to con artists impersonating IRS agents and demanding payment.

The IRS said it will never call to demand immediate payment over the phone or call about taxes owed without first having mailed a bill, nor will it threaten to immediately bring in local police or other law enforcement groups to have a taxpayer arrested for nonpayment. The IRS also will not demand payment of taxes without giving the person the opportunity to question or appeal the amount owed or require the use of a specific payment method for taxes, such as a prepaid debit card. The IRS will not ask for credit or debit card numbers over the phone or threaten to bring in local police or other law enforcement groups to have someone arrested for not paying.

03/11/2016

*****IRS's Delays in Responding to Taxpayer Correspondence Take Mounting Toll *******
WASHINGTON, D.C. (MARCH 8, 2016)

The Internal Revenue Service’s delays in processing taxpayer correspondence are lengthening, leading to delayed tax refunds and bigger interest payments from the IRS, according to a new report.

The report, from the Treasury Inspector General for Tax Administration, found inconsistent use of “over-age” correspondence lists by some managers at the IRS causes delays in processing taxpayers’ correspondence, creating a burden for taxpayers who must wait longer for assistance and, in some cases, their tax refunds.

The IRS’s internal guidelines specify that correspondence from taxpayers is generally considered over-age if it has not been resolved within 45 days. Customer satisfaction surveys found taxpayers were dissatisfied with the length of time the IRS took to resolve their cases. The delays can result in the IRS unnecessarily paying interest to taxpayers, estimated at more than $27.6 million in fiscal year 2014. Over-aged correspondence has steadily increased from 40 percent in fiscal year 2012 to 49 percent in fiscal year 2015.

In previous reviews, TIGTA recommended the IRS should develop a consistent process to ensure that managers complete their reviews of Automated Age Listings—that is, correspondence over-age reports.

The IRS has taken some actions to improve correspondence inventory management, the report acknowledged. For example, the IRS developed and implemented a phased approach on all its office campuses during fiscal year 2014, with the objective of closing as many cases as early as possible to reduce inventory and improve the timeliness of case resolutions.

The IRS also initiated a pilot program in February of last year to develop a consistent process for monitoring over-age reports. However, despite these actions, the percentage of over-age correspondence has continued to increase, partly because some IRS managers are not following internal guidelines requiring the use of over-age reports to monitor and reduce the inventory of unanswered correspondence.

TIGTA’s analysis of eight customer service representatives’ over-age reports for three consecutive weeks found that 16 to 82 percent of their over-aged assigned cases remained unresolved. In response to previous TIGTA reports on this issue, IRS management said they would ensure managers completed these reviews and would develop a consistent process to ensure managers completed correspondence over-age report reviews. However, some managers continue to not adhere to the required use of over-age reports, contributing to the IRS’s inability to effectively reduce the inventory of unanswered correspondence.

“Delays in processing correspondence create a burden for taxpayers, who must wait to obtain assistance and, in some cases, receive refunds,” said TIGTA Inspector General J. Russell George in a statement. “For the IRS, the delays can result in the unnecessary payment of interest. In FY 2014, the IRS paid more than $27.6 million to taxpayers as a result of not timely processing or resolving correspondence cases.”

TIGTA recommended the IRS ensure that managers provide and receive annotated over-age reports from their employees on a weekly basis. The IRS agreed with TIGTA’s recommendations and plans to re-assess its procedures to develop a consistent process for dealing with over-age reports.

The IRS’s limited resources after years of budget cuts are also contributing to the delays. In response to the report, Debra Holland, commissioner of the IRS’s Wage and Investment Division, pointed to the agency’s limited resources. “The same employees who work correspondence cases also staff our toll-free telephone service lines and, during peak periods, our resources are strained to handle both of these critical workloads,” she wrote. “Factors that can contribute to inventory aging, including waiting on additional information from taxpayers, issue complexity and competing priorities, can significantly impact the ability to resolve and conclude correspondence matters within desired timeframes.”

While she emphasized that the most significant factors in inventory aging are overall workload demand and the availability of resources to address that demand, she said the IRS is committed to continually improving its responsiveness to taxpayer inquiries.