No one knows the answer to this troubling question, but so far more than 70 South Florida victims have been affected. Among the known cases are two public works employees in Fort Lauderdale and six employees of the Miami Association of Realtors.
Most of the fraudulent returns were filed electronically, according to reports, using someone else's name and Social Security number. In most cases, the thieves had funds electronically routed to bank accounts, and then quickly withdrew the funds using debit cards at ATMs.
Kirk Nahra, a privacy expert and attorney for Washington-based law firm Wiley Rein LLP, says the electronification of tax payments has helped fraudsters. "This is a perfect example of where efficiency and speed run up against potential problems," he says. "The reason people file this way is because it is easy and efficient," but that means it's also easy for criminals to quickly perpetrate fraud.
Now, Sen. Bill Nelson, D-Fla., is calling for a federal investigation into the incidents, which have held up legitimate refunds for thousands of taxpayers.
Social Security Numbers 'Not Going Out of Style'No connection has been reported between these incidents and the recently discovered breach at the Social Security Administration, which exposed personally identifiable information for some 37,000 people between May 2007 and April 2010. The SSA breach, announced earlier this month in an audit summary compiled by the SSA inspector general, involved the sale information in the Death Master File that erroneously contained information about living people. The Death Master File contains information about persons who had Social Security numbers and whose deaths have been reported to the SSA.
The IRS is not commenting on the South Florida tax fraud incidents, but Linda Foley, who heads up the Identity Theft Resource Center, an identity theft victim-assistance and public-education organization, says the identities were likely stolen from an outside source months or even years ago.
"The Social Security number is not going out of style, when it comes to fraud," Foley says. "These stolen Social Security numbers could go back a year and a half for all we know. That's why it's hard to trace the fraud back to a particular breach."
From a phishing attack to a database breach or internal fraud perpetrated by an employee who sold consumer files for profit, numerous scenarios could have led to the compromise of the Florida victims' identities, Foley says. It's just another example of the vulnerability of personal identifiable information, or PII.
"Something is going on in this case," she says. "It could be related to a phishing scam, now that more people are downloading malware without knowing it. They could have had Social Security and tax information on their computers, and once they were hit with malware, it got all of their information."
But a more likely scenario, Foley says, is that a database was breached, through phishing or some other means, and a list was obtained. "I think in this case the stolen identities were warehoused," meaning they were stolen in bulk, stored and then sold. "I think this relates more to someone buying a Social Security number, because they either don't have one or can't use their own," she says. "And when people buy Social Security numbers, they usually come from a warehoused list."
That theory makes sense for the compromised information belonging to retired or deceased citizens. "That's how children's numbers and credit gets scammed," Foley says. "The criminals who sell these numbers often seek out Social Security numbers that don't get used or don't have a credit history attached to them."
Tax Time: Heyday for FraudIncidents of identity theft increase during tax season, experts say. It's one reason the Epsilon e-mail breach, which affected more than 100 brands, representing organizations of all sizes and sectors, was so concerning. [See Epsilon: Biggest Breach Ever?] Industry analysts feared fraudsters would thread common brand information with the hacked e-mail addresses to launch targeted, spear phishing attacks that could convince consumers to cough up critical personal details.
On the IRS website, a number of recommendations for ID theft protection during tax season are listed. One point the IRS makes very clear is that it never contacts taxpayers via e-mail. In fact, a special article on the site is dedicated to phishing and ID theft related to tax season: "Suspicious E-Mails and Identity Theft".
"The ITRC truly feels for these folks. Unfortunately, they represent only a small number of the thousands of people going through this same problem right now," Foley says. "The IRS has a very good fraud team, but they are overwhelmed by the hundreds of cases just like these at this time of year."