An automated aid tool for college students allowed cybercriminals to snatch about 30 million dollars from the American government and access the data of about 100,000 citizens.
John Koskinen, the Internal Revenue Service Commissioner, told the Senate Finance Committee on Thursday that his agency noticed a hack in autumn. In September it had been found out that scammers used students’ personal information to fill out applications for loans and the “Data Retrieval Tool” automatically put the tax data into those applications. This tool belongs to FAFSA (the Free Application for Federal Student Aid) system. It is used to decide how much financial help students should get for colleges or career schools. Then the criminals filed phony tax returns using the received information. As the commissioner reported, the system processed almost 8,000 of these returns and issued $30 million of refunds.
In October the IRS warned the Department of Education that there was a possibility of system abuse by cybercriminals, but it wasn’t shut down because of its use by about 15 million people. Yet in February the agency discovered the fraudsters’ activities, and in March the automated tool was suspended, even though it was very important time for those students, who intended to qualify for loans. The suspension received quite a lot of media coverage.
100,000 accounts of those students and their parents, who started applications, deployed the Data Retrieval Tool, but then for some reason left them unfinished, were flagged. The IRS is contacting such people, as their data could be at risk, though Koskinen claimed that some of these applications are possibly legitimate. The agency delayed loans from being sent to 52,000 tax payers until they can confirm that those requests are real. The IRS blocked 14,000 other fraudulent tax refunds.
Tax season is an advantageous time for cybercriminals, if they want to gain access to tax payers’ data. In some cases criminals pose as people who work in the IRS, so that they could get information from their targets through phishing or phone scams. According to the IRS the amount of phishing and viruses grew by 400% in the tax season of the previous year. More and more scammers are phishing W-2 information in huge amounts from many organizations.
The tool of FAFSA is still disabled and not accessible online. Koskinen reported that the IRS is creating the software, which will conceal the personal tax data, so that further theft would be impossible, but it will start working only in October. Because of that the tool will be enabled only in autumn. Currently students and their relatives can still use application system on the Internet, but their tax information can be populated only manually, which requires more time.
Potential victims are advised to file their taxes before the hackers beat them to it and to request free copies of their credit reports.