Search
  • Brett Johnson

Open Season for Tax Return Fraud: A Few Words From the Fellow Who Started It.


One of my Twitter Followers, @TrishDGoff, recently tweeted about tax fraud and identity theft.  She suggested to the person she was talking to that they ask me about it.


I read her Tweet and realized something.  All this time, I’ve never written or spoken about Tax Return Identity Theft except in passing.  Kind of odd when you consider that I’m the guy that came up with that fraud.


Wait.  What?  Brett “GOllumfun” Johnson was the ass who invented that fraud scheme?


Yep.  I’m that guy.  One of the many types of identity theft and cybercrime I had a hand in developing.


I’ve not really spoken about it since becoming a consultant and public speaker.  I mention it

in passing, saying only the reason people have their tax refund delayed every year began with the guy standing in front of them.


Why have I not spoken about it?  I think because it is a piece of my past that I am trying to move past.  I view that as history and not current, so I’ve neglected speaking about it even as it continues to be a very profitable crime for experienced cybercriminals. 


That has been a mistake on my part.  Many thanks to Trish Goff for giving me the opportunity to see the light.


Don’t worry, I am going to talk about this fraud as it is now committed and what, if anything, consumers can do to protect themselves against this crime.  But first, a little history of how this type of fraud came into being.


I was the leader of the first real organized identity theft and cybercrime group, ShadowCrew. 


I was also one of the three people to build the site, myself, Seth Sanders, and Kim Taylor.  ShadowCrew was the precursor of today’s Darknet markets and forums.  Being the first website and group of its kind meant we had to figure out a lot of these types of fraud ourselves.  Being the leader of the group also meant that I was involved in developing most of those types of crime as well.  With the exception of “Friendly Fraud”, all the types of organized financial cybercrime seen today began with the inception of ShadowCrew.  I could list some of the areas of online fraud I helped develop, but it would take too long.  (ATO, CNP, Phishing, Counterfeiting, ID Theft, Payment Processor Fraud, Bank Accounts, Laundering, Etc., etc.)  The list just keeps going.  And among that list?  Tax Return Identity Theft.


It began with the Online Indiana State Sex Offenders Registry.  At the time, the registry listed the entire details of all the sex offenders in Indiana:  Name, Social Security Number, Date of Birth, Driver License #, Address, Phone, etc.  I found the database and started using it to set up bank accounts using the rapist’s and pedophile’s information.  I justified it by saying that if anyone deserved to be screwed over it was these people and that law enforcement would be slow to help them.


I used their info to set up hundreds of bank accounts with Netbank.  At the time, Netbank was the only online bank.  Setting up accounts was easy.  All I needed was the information on the registry site.  By this time, I knew how to acquire drop addresses to receive stolen items, credit cards, IDs, and more.  I started using those same types of drop addresses to set up bank accounts so me and my crew could cash out.  In doing so, I became the first seller of fraudulent bank accounts in the community.  I sold them for $300 each, including the debit card and the complete identity profile of the person I used to open the account. 


Typically, a bank account like that could see $20k laundered through it before becoming suspicious or being flagged.


Using the pervert’s info lasted for about 6 months.  One day I signed on to the registry and noticed the State of Indiana had removed all the DOBs and SSNs.  Growl.  That threw a wrench in not only my plans, but also the plans of many of my partners.  I had to find a replacement database as soon as possible so I and others could continue to cash out.


By this time, we also had access to the Texas Driver License database.  We were using the database to create driver licenses with correct data, identity theft, bank fraud, and more.  We started using it to open bank accounts as well. 


And then we found the California State Death Index.


Wow.


At the time, the index wasn’t online.  You had to buy it on a set of CD-Roms.  The information on the database?  Names of every person who had died in the state of California up to present.  Info included?  Name, Social Security Number, Date of Birth, Mother’s Maiden Name, Etc.


By this point I had gotten pretty good at creating new identities and knew a good deal about how identity on a government level worked.


I knew that the federal government didn’t access state databases.  I also knew that the federal government didn’t know someone was dead unless someone had filed for a Death Benefit through the Social Security Administration on behalf of the deceased person.  Prior to 1998, it took the family of the deceased to file the benefit.  After 1998, the hospital, funeral home, etc., would file for the benefit instead of the family.


Meaning?  Meaning that people who had died 1998 and prior rarely had the death benefit filed—the family was too distraught to file it, or simply forgot to file it.  Meaning?  Meaning that to the Federal Government all those people still appeared as alive.


I was setting up and selling bank accounts with the information at the time.  I was also reading all I could about potential ways to use the information of dead people to commit fraud.


The first idea was wondering if I could use dead people’s information to apply for social security benefits.  Find someone who, if alive, would be eligible to receive Social Security.  Apply for benefits, collect a monthly check.  Sure, the dollar amounts per victim weren’t that high, but file for 1000 people and collect monthly benefits on 1000 dead people and no one to complain?  A lot of profit there.


Well, that didn’t work.  While the federal government didn’t know they were dead, the social security administration did know the SSN hadn’t been used in a while.  As such, they requested an in-person interview to qualify for benefits.  Crash and burn there.


The next idea?  I wondered if I could apply for a tax refund using the information of dead people.  I researched the tax refund process for a couple of weeks, learning all I could about the reporting cycle, filing methods, fraud flags, etc.  I even read all the criminal cases I could find about people filing fraudulent refunds. 


I filed a return as a test.  The victims name?  Joshua Kaplan on the California Death Index.  I ran his SSN through an online Social Security Death Index to verify he had never had the Death Benefit claimed for him.  I set up a NetBank Account in his name.  I signed up for a EIN Directory, downloaded Payroll software.  And I filed a fraudulent return.  10 days later $3600 was deposited in the Netbank account.


Oh. Happy. Day.


I got to the point where I could file a return once every six minutes.    I did that eight hours a day, 3-4 days per week.  The rest of the time I spent taking road trips to cash out and setting up bank accounts to receive the stolen funds.


It got to the point I couldn’t open bank accounts fast enough to receive the stolen money.

How much stolen money?  It wasn’t uncommon for me to withdraw $160,000 a week.  The ability to file fraudulent taxes ran from mid-January to mid-October.  Yeah, a lot of stolen money.


What did I do?  I resorted to prepaid debit cards.  Then, they were marketed as payroll cards.  I could easily order 200-400 per week and have the returns deposited to the cards.  Withdraw was just as easy.  As such, I also became the first person to introduce prepaid debit cards in cybercrime communities.


Of course, readers of mine and people who have seen me speak, or people who have read about me in the news, or in the book, Kingpin, know I was arrested.  They know the Secret Service hired me because of my skill set and knowledge of cybercrime.  They also know I continued to break the law while working for the Secret Service, that I then went on a cross country crime spree, that I was captured, sent to prison, escaped from prison, was captured again, and served out my time.


They also know my path to redemption, to becoming reformed was a long process and I give most the credit to my wife, my sister, and members of the FBI, Identity Theft Resource Council, Cardnotpresent.com, and more.  I’m grateful for the help of others.  I wouldn’t be here today without them.


This Tax Refund Identity Theft, though.  Geez.  Did it get popular.  When I was doing it, I also filed on living people.  It was easy enough to steal someone’s identity and file taxes under their name.  The only concern then was making sure I filed the return before the legitimate person did.  The majority of people didn’t file until sometime in March, so it was easy pickings.


I started doing that type of fraud in late 2002, early 2003.  Until 2012, the fraud remained exactly as described.  The only thing a criminal needed was a name, DOB, SSN.  He could use any EIN number.  He could get any number of prepaid debit cards to deposit the return to.  He didn’t need W-2s.  He didn’t need proxies.  He didn’t need much of anything to be able to steal massive amounts of money.


Beginning in late 2011, the IRS began to shut down the ability of filing fraudulent returns using dead people.  A criminal could still get some returns through, but the success rate dropped from 80% to under 10%.


Dark days, indeed.  So dark, that fraudsters across the planet decided to stop committing crime, went out and got legal jobs, enrolled in school, and became forces of good for their communities.


Ok.  That didn’t happen.  You see, cybercrime is a career.  It isn’t a job.  It isn’t a hobby.  It is a career.  The guys who are good at it aren’t going to stop, get a job and start flipping burgers for a living.  There is too much money involved.  Shut them down in one area and they find another path to take.


The path for tax fraud?  Fraudsters went to directly targeting living folks.  The info was there.  It was easy enough.  Initially, the only thing a fraudster needed to do was file before the victim.


Over the past few years, the IRS has gotten better at protecting people against this type of fraud.  There have been serious mistakes along the way.  They left open the door allowing criminals to pull several million tax transcripts a few years ago.  Then they plugged that hole, but crooks were able to pull the filing information from the Financial Aid for Students website, FAFSA, for a few months.  There have been other errors as well.  But security is getting better, in many respects.  Today, a newbie cybercriminal hoping to strike it rich doing tax returns?  They usually starve to death first.


Still, for an expert, Tax Return Identity Theft is still a very lucrative crime.

Now, to engage in this type of crime, a crook MUST have the W-2 or the Tax Transcript.

So how does one get that?


The government system is set up on KBA, Knowledge Based Authentication, questions.  You go to access the transcript and you are asked a series of questions that only the actual person should know.  How effective are KBA questions?  Not very.  As a crook, I can easily pull someone’s SSN, DOB, and address history for $2.90.  From there, I can pull unlimited background checks for $16 per month, then I can pull the credit report—free.  Or I can pay someone a small amount of money to pull the information for me.  That information tends to be most of the answers I need to answer a variety of KBA questions. 


Unfortunately for crooks, some of the KBA questions the Feds ask are pretty detailed.  So detailed that most crooks tend to go another route.  (Well, another route until we start to see the Equifax breach data being sold.  Then it’s game over for all KBA.  The Equifax info answers all KBA questions, allowing a crook to take over any account he chooses.  So far, it hasn’t been sold, but it is coming.)


The easier path for now?  Acquiring the W-2.  How easy is it to get a W-2?  Stupid easy. 

 Phishing.  92% of every breach begins with a phishing attack.  Why?  Because it is easier to ask for information than by brute force.  No where is it easier than sending a phishing email to a payroll dept, pretending to be some higher up, and asking for W-2 data on a load of employees.


Spoofing a phone number and calling in to payroll to ask for W-2 info or to have W-2 sent to an alternate address Stealing mail, someone working in payroll looking to make some extra cash by using the W-2s themselves or selling them on the blackmarket.


Various other Stupid Easy methods


A crook gets the W-2 and then files before the actual person.  Funds are direct deposited to a bank account or a prepaid debit card.


Profit potential?  Large.


Ease of crime?  Stupid easy.


What can be done to stop it?


Not much.


First, your data is already out there.  You aren’t in control of it anymore. 


Your W-2?  Easy enough for a crook to get.  That isn’t likely to change soon.


All those suggestions about what you can do to protect yourself from this type of fraud?


 File Taxes Early

Review Credit Report

Don’t Give Out Info

Check SSA Earnings

Install Antivirus and Firewall

Change Passwords


Effectively useless.  The only one that matters for tax refund fraud is filing early.  That’s a problem when you consider fraudsters file day one, if not before.


Certainly, people should—


 Freeze the Credit of Everyone in the House

Monitor All Accounts and Place Alerts

Use a Password manager


Those things will NOT stop tax fraud, but they do go a log way toward protecting someone against a variety of other crimes.


Tax Fraud solutions?  A few things need be done.  And, unfortunately, they are out of the hands of consumers.


First, a move has to be made away from KBA questions.  As mentioned earlier, as soon as the Equifax data starts to be sold—and it will—crooks everywhere can take over any account based on KBA.


Next,  groups, companies, and organizations who house tax information need to practice strong security, train their employees on phishing, spoofing, and other techniques of stealing information.


And finally, those same targets should look into a variety of companies working on solutions to this problem.  There are several companies focused on countering this type of fraud.

0 views