Questioning Turbo Tax Fraud Efforts
Former security employees of Intuit allege that the company has processed state and federal tax refunds that were known to be filed by cybercriminals via the popular income tax program TurboTax.
As we recently reported, cybercriminals with stolen information have been filing tax returns via TurboTax in order to claim state refunds on behalf of the stolen identity. TurboTax suspended state filing, but opened it back up once they confirmed that the stolen information was not coming from their network. Intuit insists that they are leaders in the industry when it comes to reporting fraudulent activity to the IRS, but that what happens from there is in the hands of the IRS.
Two former security employees maintain, however, that Intuit has held back from implementing security measures they suggested due to loss in company profit when fraud is reduced. Essentially, when they make it harder to file fraudulent tax returns, cybercriminals go somewhere else and Intuit misses out on the filing fees. Since filers can opt to pay the fees out of the refund they are receiving, this scam also scams American tax payers.
They also said that there were "literally millions of accounts that we were 100% sure were used for fraud", but the management at Intuit did not allow them to shut down the accounts or even flag them.
Intuit's response is that they lead the industry in reporting fraud, even though the IRS has yet to come up with a clear roadmap of what to do in such cases for the tax return industry. They also say that the customers' experience was of the utmost importance, and being overly aggressive in reporting snared legitimate users and delayed their returns.
The IRS reported receiving over 330,000 identity theft complaints last year with about one-third of them related to taxes. They also said that they prevented an estimated $24.2 billion in fraudulent refunds in 2013, though $5.8 billion was paid and later found to be fraudulent. Since an unknown amount of fraud surely goes undetected, the actual damage can't be known.