New IRS Site Could Make it Easy for Thieves to Intercept Some Stimulus Payments

The U.S. federal government is now in the process of sending Economic Impact Payments by direct deposit to millions of Americans. Most who are eligible for payments can expect to have funds direct-deposited into the same bank accounts listed on previous years’ tax filings sometime next week. Today, the Internal Revenue Service (IRS) stood up a site to collect bank account information from the many Americans who don’t usually file a tax return. The question is, will those non-filers have a chance to claim their payments before fraudsters do?

The IRS says the Economic Impact Payment will be $1,200 for individual or head of household filers, and $2,400 for married filing jointly if they are not a dependent of another taxpayer and have a work eligible Social Security number with adjusted gross income up to:

  • $75,000 for individuals
  • $112,500 for head of household filers and
  • $150,000 for married couples filing joint returns

Taxpayers with higher incomes will receive more modest payments (reduced by $5 for each $100 above the $75,000/$112,500/$150,000 thresholds). Most people who who filed a tax return in 2018 and/or 2019 and provided their bank account information for a debit or credit should soon see an Economic Impact Payment direct-deposited into their bank accounts. Likewise, people drawing Social Security payments from the government will receive stimulus payments the same way.

But there are millions of U.S. residents — including low-income workers and certain veterans and individuals with disabilities — who aren’t required to file a tax return but who are still eligible to receive at least a $1,200 stimulus payment. And earlier today, the IRS unveiled a Web site where it is asking those non-filers to provide their bank account information for direct deposits.

However, the possibility that fraudsters may intercept payments to these individuals seems very real, given the relatively lax identification requirements of this non-filer portal and the high incidence of tax refund fraud in years past. Each year, scam artists file phony tax refund requests on millions of Americans, regardless of whether or not the impersonated taxpayer is actually due a refund. In most cases, the victim only finds out when he or she goes to file their taxes and has the return rejected because it has already been filed by scammers.

In this case, fraudsters would simply need to identify the personal information for a pool of Americans who don’t normally file tax returns, which may well include a large number of people who are disabled, poor or simply do not have easy access to a computer or the Internet. Armed with this information, the scammers need only provide the target’s name, address, date of birth and Social Security number, and then supply their own bank account information to claim at least $1,200 in electronic payments.

Page 1 of 2 in the IRS stimulus payment application page for non-filers.

Unfortunately, SSN and DOB data is not secret, nor is it hard to come by. As noted in countless stories here, there are multiple shops in the cybercrime underground that sell SSN and DOB data on tens of millions of Americans for a few dollars per record.

A review of the Web site set up to accept bank account information for the stimulus payments reveals few other mandatory identity checks to complete the filing process. It appears that all applicants need to provide a mobile phone number and verify they can receive text messages at that number, but beyond that the rest of the identity checks seem to be optional.

For example, Step 2 in the application process requests a number of data points under the “personal verification” heading,” and for verification purposes demands either the amount of the applicant’s Adjusted Gross Income (AGI) or last year’s “self-selected signature PIN.” The instructions say if you do not have or do not remember your PIN, skip this step and follow the instructions in step A above.

More importantly, it appears one doesn’t really need to supply one’s AGI in 2018. “If you didn’t file a return last year, enter 0,” the site explains.

Step 2 in the application for non-filers.

In the “electronic signature,” section at the end of the filing, applicants are asked to provide a cell phone number, to choose a PIN, and provide their date of birth. To check the filer’s identity, the site asks for a state-issued driver’s license ID number, and the ID’s issuance and expiration dates. However, the instructions say “if you don’t have a driver’s license or state issued ID, you can leave the following fields blank.

Alas, much may depend on how good the IRS is at spotting phony applications, and whether the IRS has access to and bothers to check state driver’s license records. But given the enormous pressure the agency is under to disburse these payments as rapidly as possible, it seems likely that at least some Americans will get scammed out of their stimulus payments.

The site built to collect payment data from non-filers is a slight variation on the “Free File Fillable Forms” product, which is a free tax filing service maintained by Intuit — a private company that also processes a huge percentage of tax returns each year through its paid TurboTax platform. According to a recent report from the Treasury Inspector General for Tax Administration, more than 14 million Americans paid for tax preparation services in 2019 when they could have filed them for free using the free-file site.

In any case, perhaps Intuit can help the IRS identify fraudulent applications sent through the non-filers site (such as by flagging users who attempt to file multiple applications from the same Internet address, browser or computer).

There is another potential fraud storm brewing with these stimulus payments. An app is set to be released sometime next week called “Get My Payment,” which is designed to be a tool for people who filed tax returns in 2018 and 2019 but who need to update their bank account information, or for those who did not provide direct deposit information in previous years’ returns.

It’s yet not clear how that app will handle verifying the identity of applicants, but KrebsOnSecurity will be taking a look at the Get My Payment app when it launches later this month (the IRS says it should be available in “mid-April”).

IRS scams during tax season target unsuspecting consumers

Scam robocalls and phishing emails disguised as banks continue to trick consumers to put their personal information at risk, and tax season is no exception.

IRS scams

Increase in potential threats

During this time of the year consumers need to be aware of the increase in potential threats as hackers pose as collectors from the IRS, tax preparers or government bureaus.

These tactics are particularly effective due to tax payers concerns of misfiling their taxes or accidentally running into trouble with groups like the IRS.

McAfee researchers recently uncovered an example of an illegitimate IRS site created to scam unsuspecting consumers. If you look closely, you will notice a non-IRS domain and not a secure connection, these are key things to look out for when seeking online resources.

Fake sites such as this pose particular risk to consumers when combined with phishing email campaigns. In fact, 41% of Americans admitted to falling victim to email phishing scams in 2019, serving as another reminder to be vigilant during the stressful tax season.

File before a scammer does it for you

The easiest defense you can take against IRS scams is to get your hands on your W-2 and file as soon as possible. The more prompt you are to file, the less likely your data will be raked in by a fraudster.

Beware of phishing attempts

Phishing is a common tactic crooks leverage during tax season, so stay vigilant around your inbox and double-check legitimacy of any unfamiliar or remotely suspicious emails. Be wary of strange file attachment names such as “virus-for-you.doc” and remember that the Office of Social Security or IRS do not call or email tax payers.

IRS scams: Watch out for spoofed websites

Scammers have extremely sophisticated tools that help disguise phony web addresses for DIY tax software, such as stolen company logos and site designs. To avoid falling for this, go directly to the source. Type the address of a website directly into the address bar of your browser instead of following a link from an email or internet search.

Consider an identity theft protection solution

If your data does become compromised, be sure to use an identity theft solution, allowing users to take a proactive approach to protect their identities with personal and financial monitoring and recovery tools to help keep their identities personal and secured.

A Light at the End of Liberty Reserve’s Demise?

In May 2013, the U.S. Justice Department seized Liberty Reserve, alleging the virtual currency service acted as a $6 billion financial hub for the cybercrime world. Prompted by assurances that the government would one day afford Liberty Reserve users a chance to reclaim any funds seized as part of the takedown, KrebsOnSecurity filed a claim shortly thereafter to see if and when this process might take place. This week, an investigator with the U.S. Internal Revenue service finally got in touch to discuss my claim.

Federal officials charged that Liberty Reserve facilitated a “broad range of criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.” The government says from 2006 until the service’s takedown, Liberty Reserve processed an estimated 55 million financial transactions worth more than $6 billion, with more than 600,000 accounts associated with users in the United States alone.

While it’s clear that the digital currency system for years was the go-to money-moving vehicle for many engaged in dodgy online activities, it also was favored by users primarily because it offered a relatively anonymous way to send irrevocable transfers globally with low fees.

The two stories I wrote about the closure of Liberty Reserve in 2013 remain among the most-read on this site, and have generated an enormous volume of emails from readers who saw many thousands of dollars held in legal limbo — much of it related to investments in online gaming platforms, payments to and from adult entertainment services, and various investment schemes.

The IRS official who contacted me was not authorized to be quoted in the media (and indeed did not initially realize he was speaking to a member of the press when he called). But he told me the government had recently obtained legal access to some of the funds held in overseas bank accounts that were used by Liberty Reserve, and that IRS investigators were now starting to contact people and vet any claims made in the wake of the takedown.

“We’re just getting to the point where we have received funds,” the investigator said. “We’ve started to contact people who originally contacted us, to vet their claims, make sure they weren’t involved in any illegal activity, and that the claim amounts match the records that we have.”

The official said he didn’t know how much money in total the government was seeking to return to former Liberty Reserve users. Requests for this information from the Justice Department office that prosecuted the case — the U.S. Attorney for the Southern District of New York — went unanswered.

The founder of Liberty Reserve, 45-year-old Arthur Budovsky, pleaded guilty in 2016 to conspiring to commit money laundering. He was sentenced to 20 years in prison, ordered to pay a $500,000 fine and forfeit $122 million in company funds.

If you filed a monetary claim in response to the Liberty Reserve seizure years back, you may have already been contacted by federal investigators, or you may be soon. But please know that fraudsters will likely seize on public awareness about the possible repatriation of funds to fleece the unwary: KrebsOnSecurity has received more than a few emails from readers over the years who fell for various phishing scams that promised to return funds lost at Liberty Reserve in exchange for a bogus “processing fee.”