How fraudsters stole millions with the help of a legitimate online tool
Identity thieves have managed to steal $30 million from the US Internal Revenue Service by taking advantage of an online tool designed to help students fill out financial aid applications, IRS Commissioner John Koskinen told the Senate Finance Committee on Thursday.
How did it happen?
The Data Retrieval Tool (DTR) works by populating the applications with the users’ IRS tax return information needed to complete them, but on March 30, 2017 it was announced that it will be made “unavailable until extra security protections can be added.”
“Identity thieves may have used personal information obtained outside the tax system to access the FAFSA [Free Application for Federal Student Aid] form in an attempt to secure tax information through the DRT. The IRS continues to review the extent to which this contributed to fraudulently filed tax returns,” the agency explained at the time.
That’s because the tool allowed identity thieves to gain enough information on individual taxpayers to allow them to file fraudulent tax returns in their name.
Koskinen revealed that the tool’s potential for abuse has been flagged in October 2016, and the IRS told the US Department of Education about it. Nevertheless, it was considered to be so useful to millions of legitimate users that the IRS obviously decided to keep it available.
But, when in February the IRS noticed a pattern of fraudulent activity tied to it, they decided to temporarily shut it down.
“The IRS flagged 100,000 accounts of people who started the application, used the Data Retrieval Tool, but then didn’t finish it. The IRS is alerting those people, as they may have had their information compromised, but Koskinen said some of those applications are likely authentic,” CNN reported.
The online FAFSA system is still operational but, for the time being, users will have to fill out the income information themselves. The IRS is working on software to mask the personal tax data to prevent further theft, but this security measure won’t be implemented until October.