TurboTax Pauses e-Filings Due to High Levels of Fraud

Tax season is rife with cyber crime. It’s a trend that has existed for years and will continue to impact Americans in 2015. Tax filing software is a prime target, and last week Intuit had to temporarily pause its popular online tax filing service, TurboTax, due to a noticeable spike in fraud.

In a press release that went public on February 6, Intuit explained it took the precautionary step of temporarily pausing transmission of state e-filing tax returns. Intuit appears confident that a breach has not occurred, which appears to be confirmed by a third-party security vendor. Apparently, in response to the incident, Intuit is offering free credit monitoring, a 1-800 number with access to fraud specialists and has turned on multifactor authentication for logins.

Based on the fact that a security breach is unlikely and the extended outreach for customers, the likely assumption is that compromised credentials were being used to fraudulently submit taxes in order to siphon tax refunds.

The financial impact on TurboTax has multiple layers. Consider how much revenue any downtime might cost TurboTax: factor in any costs incurred from hiring a third-party security firm, holding special training for staff and offering free credit monitoring, and pile that on top of standard IT security budget. It equals a pretty hefty price tag for dealing with fraud.

Odds are the actual fraudsters just purchased the identification information they needed from black market forums. The spike may have had to do with one or more groups actively engaging in a campaign at scale, as opposed to standard fraudulent activity that wouldn’t even raise alarms.

TurboTax is a unique case, as there are few organizations that offer specialized services designed to simplify the process of filing for taxes in order to get tax rebates. However, phishing has diversified. In 2014 alone, phishing has led to extremely private and personal data dumps, such as The Fappening, and colossal data breaches, including Target, Home Depot, Sony and JP Morgan Chase.

The moral of the story is that phishing attacks have diversified beyond finance. User credentials can be used to pilfer diverse sets of private information. Even worse, privileged credentials with root access or admin rights are also being captured and used to access secured databases.

Aside from raising awareness and improving access controls, the best way to increase your company’s tolerance to phishing attacks is to identify the phishing infrastructure that targets your brand. This can be accomplished by crawling the web and analyzing the source code of individual web pages with purpose-built machine learning methods tuned for detecting known phishing techniques.

The concept is to significantly narrow the attack surface. This makes dangerous campaigns easier to detect in near-real time. It also provides some insight into the impact a phishing campaign may be having on customer bases, which is valuable information to share with executives and board members.

Phishing will remain a problem as long as people continue to be cavalier with their login information. However, there are new technologies on the market that can significantly lower risk in this area.

Regardless of the path you choose, hopefully these incidents have raised awareness among your organization’s group of decision makers. Be prepared to take some risks and test out new methods because simply making your brand a more difficult target could keep your company out of the news.

Back to RiskIQ Blog