Reposted from the This Week in Nonprofit Fraud Blog – March 17, 2014
Spotlight on Identify Theft: How Data Breaches Lead to Tax Refund Fraud
Photo courtesy of KomoNews.com
For months, the government and law enforcement communities have been warning about the scourge of identity theft for the purposes of committing tax refund fraud. In this scheme, perpetrators steal pieces of a person’s identity that are required to file an income tax return with the IRS. The perpetrators then use the stolen information to file a return that would result in a refund, which they tell IRS to issue as a check directed to an address of the perpetrator’s choosing. Because of the way that IRS’s systems work, IRS will issue the refund check before they’ve conducted every possible test for fraud. And sadly for the real taxpayer, they will never know about the identity theft until they file their legitimate tax return, only to hear from IRS that they won’t receive a refund because “the refund was already issued.”
In a sad twist, the Archdiocese of Seattle found itself on the wrong side of this exact scheme. As many as 80 people associated with the Archdiocese have seen their identities used for fraudulent tax return filings; victims included schoolteachers at associated Catholic schools and volunteers who had provided their social security numbers to the Archdiocese in order to be approved as volunteers. It isn’t yet known exactly how the identities were stolen, but the problem is significant enough that the IRS, FBI, and a forensic services firm have all been called in to try to get to the bottom of the matter. The Archdiocese even cancelled classes at some schools so that teachers and staff would have time to try to resolve fraud concerns.
We’re accustomed by now to hearing the dreaded phrase “data breach” applied where we bank (Citigroup), where we shop (Target), and where we play (Playstation). We all understand why fraudsters would want to target these companies; after all, they have our credit card numbers and bank accounts on file. But, it’s important to remember that there are a lot of pieces of information that are valuable to a criminal. The Archdiocese of Seattle, just like any employer, held some of these pieces, and sadly, many innocent victims will have to help clean up the mess resulting from this data breach.
- Every organization needs to determine what information assets they hold that they have a duty to safeguard. Once you know what data you need to protect, it is critically important that you identify risks to that data, and put a plan in place for what to protect.
- In this case, the Archdiocese was rightly conducting formal background checks on volunteers to help keep the children in their care safe. But, this added another piece of data to protect, one that can easily be overlooked.
- There is no such thing as perfect security, so even if you’ve done the best job you can of designing your controls to protect your data; you need to have a plan in place for detecting and responding to a breach, should one occur. Once the Archdiocese recognized that they had a breach, they responded strongly, issuing alerts to possibly affected individuals, calling in authorities, and supporting recovery efforts by providing their employees with the time to pursue their individual cases.
Raffa Forensic Practice Tips:
- Constantly assess the nature of and risks to your information assets. The cybersecurity environment is constantly changing, so organizations need to always be aware of their sensitive data holdings and keeping apprised of new threats.
- Has your organization conducted a fraud risk assessment that includes information security fraud risks?
- Does your organization have a formal response plan for how to respond to a “worst case scenario” if your data is compromised?
DON’T BE THE NEXT VICTIM OF FRAUD!
The Raffa Forensic Accounting Services Practice offers a wide variety of fraud prevention and detection services including Fraud Risk Assessments, Background and Workplace Investigations, Fraud and Internal Investigations, Transactional Due Diligence Investigations, Anti-Fraud Consulting and Training, and Computer Forensic Analysis.
For more information on the Raffa Forensic Accounting Services Practice please visit us at www.raffa.com/ProfessionalServices/Forensic/ and the Nonprofit Fraud Prevention Institute at www.raffa.com/Fraud.
You can also contact the following Raffa professionals with any questions or if your organization needs assistance in fraud prevention:
Lawrence J. Hoffman, CPA/CFF, CVA, CFE, Senior Partner: Lhoffman@raffa.com
Leslie C. Kirsch, CFE, Manager: Lkirsch@raffa.com