Tax refunds have turned into a gold mine for cybercriminals, who each tax season unleash a slew of scams and phishing expeditions aimed at claiming billions in phony refunds.
In 2013 alone, the Internal Revenue Service estimated that it paid out $5.8 billion in fraudulent refunds, even as it prevented $24.2 billion in payments from going to criminals.
Could a selfie be the answer to curbing this multibillion-dollar fraud problem?
Some state tax commissioners think so. They are implementing or testing software from a Billerica company that verifies tax filers by having them take a selfie, which is compared with the photo on their driver’s license.
Traditional information used to verify people online, such as passwords and Social Security numbers, has been stolen and compromised through multiple data breaches and is no longer reliable, said Mark DiFraia, a senior director at MorphoTrust USA in Billerica, a subsidiary of Safran SA, a French defense company.
The company, which also handles the PreCheck program for the Transportation Security Administration and produces most of the driver’s licenses in the United States, expects more agencies to adopt photo and biometric identification systems.
“Everybody is trying to move transactions online, bring transactions to the Internet,” DiFraia said. “But they can only get there if they trust you are who they think you are.”
This month, the Alabama Department of Revenue announced it will roll out MorphoTrust’s mobile phone application to verify tax filers by the end of this year. Revenue departments in North Carolina and Georgia have received federal grants to test the app for more widespread use.
Massachusetts has not signed up with MorphoTrust,but the state Department of Revenue is continually looking at new technologies and strategies to prevent fraud, officials said. Last year, the state Department of Revenue stopped $26.3 million in questionable refunds.
“It’s a huge problem to solve,” said Amy Pitter, a former state revenue commissioner and now chief executive of the Massachusetts Society of Certified Public Accountants.
Massachusetts and other states now ask filers who they suspect may be fraudulent to take a three-minute quiz. The test seeks to verify their identities by asking about the cars they have driven in recent years and the places they have lived in the past 25 years.
Some states ask for a driver’s license number and the date it was issued on the tax return.
Tax-preparation companies have also increased their security precautions. After state tax commissioners raised concerns about fraudulent filings in 2015, Intuit, the maker of TurboTax, required users to provide multiple forms of identification.
“Our goal is legitimatize the tax return as soon as it hits our system,” said Julie Magee, Alabama’s revenue commissioner. “It’s just unbelievable how we’ve taken a government transaction, a tax refund, and we’ve allowed the criminals of the world to hijack it. And it’s wasting billions and billions of dollars.”
The MorphoTrust eID app will be voluntary for Alabama tax filers because some residents may not have a license or feel comfortable with the technology or sharing their information, Magee said. The state is spending $250,000 annually to subscribe to the MorphoTrust program, but it will also continue using other filters, too.
Those who want to participate have to download the app, take a photo of the front and back of their driver’s license, and snap a selfie. MorphoTrust sends that information to the state agency that issues drivers’ licenses to verify the identity of the filer, using facial-recognition software along with information pulled from the barcode on the license.
Once the user is verified, MorphoTrust sends a two-dimensional barcode, called a QR code, to the phone and notifies the state tax department the filer is enrolled.
The tax filer uses that code to log into the state’s revenue department website. When a tax return is filed in his or her name, the participant gets an alert via the app and is asked to verify the identity by taking another selfie.
“It’s almost like you’ve put a credit lock on your credit account,” DiFraia said.
The company ensures that the limited data it keeps on filers are stored in multiple locations, making it more difficult for cybercriminals to attack, he said.
Tax experts said the app could help reduce tax-refund fraud around the edges, but the problem is so massive that it will ultimately require a much more comprehensive solution.
“You get a feeling it’s a game,” Pitter said. “All the good guys sit around the table and say they have a fix, and then all the bad guys sit around the table and try to figure out how to circumvent it.”