It all goes to show: don’t mess with the IRS. The prison system has two new residents, after Anthony Alika, 42, and his wife Sonia, 27, were sentenced for filing fraudulent tax returns through the often-exploited “Get Transcript” site maintained by the Internal Revenue Service. In addition to their incarceration, the Alikas will each be responsible to pay restitution to the IRS.
Ultimately, Anthony is to serve 80 months in prison followed by three years of supervision upon release, in addition to paying $1,963,251.75 in restitution for conspiracy to commit money laundering. Sonia was handed down a sentence of 21 months of jail time, also followed by three years of supervision, and an IRS restitution totalling $245,790.08 for structuring cash withdrawals to avoid the required bank reporting. Each pled guilty to their charges.
These sentences were passed after the Alikas were found guilty of laundering $1 million in money stolen from the US Treasury by filing fraudulent forms, specifically income tax returns populated with data stolen from the Get Transcript vulnerability. The Get Transcript function, meant to allow taxpayers to review their past returns with clearly spelled-out information, also allowed the Alikas to obtain the data they needed to make off with their ill-gotten funds.
The Alikas, along with co-conspirators, would purchase prepaid debit cards and registered them to the identities they had stolen, before filing false returns for those identities and receiving the refunds on the prepaid cards. They would then use these cards to purchase money orders, deposit that money into bank accounts, and withdraw their loot in multiple small increments to avoid the bank reporting of the transactions.
This isn’t the first time hackers have used the Get Transcript portal, either. In May of 2015, 100,000 tax accounts were stolen and used to take almost $50 million from the IRS. This is all because the authentication requirements to access the necessary information are flimsy.
Reacting to this case, the United State Department of Justice put out a press release outlining some best practices to keep personal information and accounts as safe and secure as possible.
A tax refund criminal can’t file a false return if the return has already been filed by the actual individual who should be doing the filing. The longer a return goes without filing, the more opportunity a criminal has to file one fraudulently.
Use Strong Usernames and Passwords
This one goes for any and all online accounts, but especially for those containing information as sensitive as a tax return does. If a close family member could get pretty close to the credentials with a guess, those credentials are nowhere near strong enough.
BONUS TIP: Randomized strings of upper and lower-case letters, numbers, and (if permitted) symbols are the most secure option when selecting a password.
For more tech security information to help keep your data--and yourself--safe, keep coming back to the XFER blog.