The IRS and taxpayers themselves have been the targets of a wide range of attacks and scams for many years, most of which involve some variety of identity theft. The fraudsters behind these operations often go unpunished, but in a rare victory, the U.S. government has convicted and sentenced to nearly four years in prison a Bulgarian who was involved in hacking a tax accounting firm and using clients’ stolen data to get fraudulent tax refunds.
The scam that Vanyo Minkov was running is one that isn’t as well-publicized as the ones that involve scammers impersonating IRS agents over the phone and pressuring victims into transferring money for fictional unpaid taxes. That scheme has been around for many years and there are several variations of it, including one in which callers ask victims to confirm some of their personal information on their tax returns and then use the data to take over victims’ identities and steal money.
But Minkov’s scam is a different one and involves targeting tax accounting firms rather than individual taxpayers. The attackers would compromise the network of an accounting firm and then steal clients’ personal data and use that to file fake tax returns and collect fraudulent refunds. The scope of the scam is rather large, with the United States Attorney’s Office putting the amount of stolen money at $6 million.
Minkov was sentenced last week to 46 months in prison for his part in the scam, and ordered to pay more than $2.7 million in restitution. There have been persistent rumors in the security community for many years of organized groups that are running scams like the one Minkov was involved in. Some of these attackers have targeted not only accounting firms, but the IRS itself, along with other federal agencies and used the data to file huge numbers of fake tax refunds in order to collect refunds. The $6 million scheme run by Minkov would represent just a tiny piece of the much larger scam that has been active for several years.
These scams are effective for a number of reasons, namely the easy access attackers have to large caches of personal data for U.S. citizens. The unending parade of data breaches that has marched along for the last decade has provided a fraudsters with a massive pool of data from which to work. And, often, the scams are discovered only after taxpayers file their legitimate returns and the IRS discovers there are duplicates. By that time, the refund already has been issued to the scammers and the taxpayer is out of luck.
The risk of discovery and prosecution is relatively low for the scammers, as there are many layers of insulation between the person doing the actual hacking and the person getting most of the money that results from the scheme.