Tax-refund fraud is expected to soar again this tax season, and hit a whopping $21 billion by 2016, from just $6.5 billion two years ago, according to the Internal Revenue Service.
And the problem—which the agency admits is growing quickly—is compounded by an outdated fraud-detection system that has trouble identifying many attempts to trick it.
"The flaws in [the IRS'] system are so basic," said Akli Adjaoute, founder and CEO of artificial intelligence firm Brighterion.
"The whole system is a disaster," Adjaoute said.
One of the main reasons for the rapid growth is that it takes so little to file a false return—just your your name, date of birth and Social Security number. (Perhaps not coincidentally, this was among the information taken in last week's huge hack on health insurer Anthem. See "What Anthem breach victims need to do now.")
The IRS is well-aware of the magnitude of the problem. But budgetary constraints and legal mandates have created a system where it is often unable to follow up on the red flags that its system throws up until after a refund check has been cut and sent.
The agency does, of course, look for certain signals in filed returns, and for obvious reasons won't discuss specifically what they are, said a spokesperson.
Here's a conspicuous flaw in the system as currently set up: To file a tax return electronically, all someone needs is a name, date of birth and an SSN. The IRS accepts tax filings as soon as Jan. 1, but employers aren't required to submit correct employment information to the agency until March, by which time roughly half of all refunds have been paid out. (For that matter, the IRS doesn't begin matching employer-submitted data to tax returns until the summer.)
By law, the tax-refund system as it is currently constituted amounts to a "pay first, ask questions later" system, said Victor Searcy, director of fraud operations at IDT911, an identity protection and risk services firm in Scottsdale, Arizona.
In other words, an imaginative crook in possession of the three basic items of a person's identity could make up fake W-2 information and submit it, and get the money within 30 days—the amount of time the law says that the agency must refund tax filers.
Some obvious red flags—like multiple checks being sent to one address, or multiple deposits being sent to one account or one debit card—are detected, but often refund checks are mailed to those accounts before they're followed up on within the agency, said Searcy.