From February to mid-May of this year, criminals used stolen data to view the past tax returns of over 200,000 people and file fraudulent refunds from the IRS - over half of which were successful. The IRS paid nearly $50 million in refunds before exposing the scheme. Fraudulent tax claims have been plaguing the agency extensively in recent years as online crime has been on the rise. The sophistication demonstrated by these criminals has government officials convinced that the hackers are operating in sophisticated, organized crime syndicates.
Under the current system, the IRS is frequently unable to detect a false return before it sends a refund check. The problem has been proliferating as a criminal needs only a person’s name, date of birth, and Social Security number to file a fraudulent tax refund. After having obtained this information, it is easy for criminals to clear a security screen and gain access to tax returns.
The IRS is well aware of the expansion of this problem, predicting that tax-refund fraud will hit $21 billion by 2016. Fiscal restraints make improving its outdated fraud-detection system difficult at the moment, so the IRS is beginning to implement a PIN security system. Under this system, the IRS assigns PIN numbers to individuals with questionable activity on their accounts, those who have been victims of tax fraud in the past, and those living in areas with prevalent fraud.
Although the IRS is taking action to strengthen its data security, serious concerns remain about the future of cyber security as the identity theft that took place was targeted at individuals, not the IRS’s actual system. All major data providers are noting this shift in criminal activity being increasingly directed toward individuals. By simply exploiting email addresses and passwords, attackers can acquire the information they need, like birth dates or names of family members, to answer basic authentication questions that allow access to information like tax returns. These security breaches compound when hackers gather more and more information about the same individual’s personal or financial information.
People with apathetic attitudes about cyber security may be putting themselves and their employers at a heightened risk for cyber attack in the future. The largest demographic in the 2015 workforce, millennials, are of particular concern to their employers. A recent study by Software Advice examining the differences in generational attitudes toward privacy found that millennials, or those born after 1980, are more lackadaisical about cyber security.
The study gathered feedback from workers of three different demographics: “baby boomers,” those born from 1946 to 1964, “Generation X,” those born from 1965 to 1980, and “millennials.” More than any other generation, millennials were found to repeat passwords across different sites, making it easier for criminals to access personal information. Identity thieves can also gain access to a plethora of private information through people’s profiles on social media. Growing up in a less private environment with a more relaxed attitude toward sharing, millennials were found to accept social media invitations from total strangers more frequently than Gen-Xers or baby boomers. The study also found that millennials, the more “tech-savvy” employees at firms these days, may be finding ways to work around security controls they construe as too restrictive.
Given these trends among the rising workforce, firms are seeking innovative ways to implement further security measures. Millennials, who use more apps and services than other generations, have more passwords to remember. Businesses can help secure information through a two-factor authentication system that requires both a password and a randomly generated number that can be sent to workers through an app on their phone. This new trend in identity theft compels not only the government but also individuals to raise their security standards for the protection of data in the future.