Economic Stimulus Payments: A Fraud TargetUS Treasury on Guard for Scams Tied to Billions in Payments Being Distributed
The U.S. Treasury Department is anticipating fraud as the IRS distributes about $300 billion in direct cash payments to Americans to provide economic relief during the COVID-19 pandemic.
See Also: A Toolkit for CISOs
Two services the IRS has quickly stood up for submitting their direct deposit banking details to receive payments are accessible online, creating opportunities for fraud.
One of those services is for non-filers, those below the income threshold required for filing a federal income tax return - which means the IRS does not have their bank account details. Another, Get My Payment, is designed for anyone to submit direct deposit details. The IRS is also mailing paper checks to those for which it lacks direct deposit information.
To authenticate taxpayers, both services rely on the usual personal data - names, mailing addresses, birth dates and Social Security numbers. That has become ever riskier to rely upon in an age of unending data breaches, where much of that data has been floating around on the internet for years.
Scammers are looking for YOUR money. Do your part and report #COVID19-related scams at https://t.co/w5QVd1JqlL. Your report could protect your friends, family, and those you care about from falling victim to a scam. pic.twitter.com/XyLmb4g3Je— Treasury Department (@USTreasury) April 17, 2020
The U.S. Department of Justice is anticipating trouble; it has set up the Virginia Coronavirus Task Force to investigate financial scams around the payments.
"Fraudsters are chomping at the bit to steal your money," says G. Zachary Terwilliger, a U.S. attorney for the Eastern District of Virginia and co-leader of the task force. Terwilliger says the scams likely will include a variety of phishing attempts, via text messages, emails, letters and phone calls.
A scan of Russian-language cybercriminal forums and private chats suggests that fraudsters are moving quickly, says Alex Holden, founder and chief information security officer for Hold Security, a cybersecurity consultancy.
In one chat, a group appeared to have successfully submitted bank account data for an unsuspecting taxpayer entitled to the stimulus. Other chats indicated fraudsters were also seeking compromised computers running Microsoft's Remote Desktop Protocol in order to access the IRS's website using U.S. IP addresses so as to not raise suspicions.
The desperate economic circumstances of the COVID-19 pandemic, with 22 million Americans filing for unemployment, has made individuals vulnerable to social engineering scams in which they may respond to phishing emails seeking their personal data, Holden says.
"The whole economic instability is a huge advantage for the bad guys," Holden says "They [cybercriminals] have so many things to try. They are actually fighting over which abuse angle is better."
Signing Up for Money
Under the Coronavirus Aid, Relief, and Economic Security Act, or CARES Act, Americans are entitled to a $1,200 Economic Impact Payment if their adjusted gross income for tax purposes is $75,000 or less. The income thresholds are higher for those who filed as a head of household and for married couples who filed a joint return. Also, those with dependent children are eligible for $500 for each child.
Most U.S. taxpayers already have their direct deposit details on file with the IRS. As a result, the Treasury Department said last Wednesday 80 million Americans had already received a payment via direct deposit.
That leaves the remainder to wrangle with either the service for non-filers or Get My Payment.
Non-filers need to fill in their full name, current mailing address, date of birth, Social Security number plus their bank account number and routing details. They're also required to fill in either a driver's license number or a state ID.
"The whole economic instability is a huge advantage for the bad guys. They [cybercriminals] have so many things to try. They are actually fighting over which abuse angle is better."
—Alex Holden, Hold Security
They also may be required to input an Identity Protection Personal Identification Number, or what the IRS calls an IP PIN. That's a secret six-digit code that is intended to validate a tax return.
In theory, it's similar to an ATM PIN: only you should know it, which means if it's wrong the IRS can detect an invalid claim or tax return. But the IRS has had fraud problems with it (see: IRS Disables Hacked PIN Tool).
An IP PIN is not available to everyone yet, although the IRS is expanding the program. It's only available to people who have been confirmed identity theft victims. Alternatively, an opt-in is available to people who live in 20 states but only to those who did file a federal tax return in 2019.
That means most non-filers won't have an IP PIN because they didn't file a federal tax return. Also, secret numbers such as IP PINs are only effective if individuals keep them secret and don't fall for social engineering scams.
Get My Payment enables taxpayers to verify their eligibility for the payment, and if needed, provide direct deposit details. It asks for Social Security number, birth date, first line of a physical address and a ZIP code.
The only somewhat small hurdle that appears to be in place to stop someone from fraudulently entering someone else's data is that it asks for adjusted gross income from either a 2019 or 2018 tax return. Alternatively, it may ask for a refund amount from either of those years or debt.
That information wouldn't be known to a fraudster, but it's the type of information that could be elicited from a phishing email or phone-based social engineering. Wisely, the IRS doesn't allow existing bank account data on file to be changed using the Get My Payment tool.
Still, the IRS's reliance on simple personal data is concerning, writes Mike Chapple, an associate teaching professor at the University of Notre Dame, in a recent Washington Post column.
"Unfortunately, the system implemented by the Internal Revenue Service puts the payments at serious risk of identity theft," Chapple writes.
Due to technical problems with Get My Payment, scores of Americans have posted their frustrations on Twitter. Information Security Media Group didn't spot any outright accusations of fraud, but some indicated that their stimulus payment went to an account they did not recognize. But it was unclear if this was fraud or simply data entry errors.
'People Need Money'
The Treasury Department has sought to warn Americans about the potential for fraud, saying it will not ask them for personal information by email, text message or social media.
The speed at which the payments are being distributed may mean catching fraud only in hindsight. The IRS has said it will send letters within a couple of weeks to recipients confirming how the payment was made.
It's common for the IRS to push out money and then worry about fraud after the fact, says Michael Bret Hood, a former FBI supervisory special agent and adjunct professor of corporate governance and ethics at the University of Virginia.
"The main goal of the program - and I can't fault the IRS for this - is to get money in people's hands as quick as possible," Hood says. "With those parameters, you're just going to invite fraud."
Hood says the move compromises protection for expediency, but the circumstances around COVID-19 have put many Americans in difficult economic circumstances.
"We're in such dire straits," Hood says. "People need money."