It’s tax season again – especially for fraudsters who want to get a jump on submitting fraudulent tax returns. They submit them early before the legitimate tax payers do and they result in FIs receiving fraudulent funds in the form of an in-bound ACH payment. And despite increased efforts by the IRS to thwart them (see recent Krebs on Security article), this is just too lucrative of a scam for the fraudsters to go down easily and they have repeatedly demonstrated their creativity and perseverance in figuring out how to bypass security measures. Plus there’s last year’s hack of the IRS’ own system.
The IRS continues to rank identity theft tax refund fraud as one of it’s top challenges – it is #3 on their 2015 “Dirty Dozen” list of tax scams. And while it’s the IRS that takes the loss, RDFIs are required to report any suspicious credit activity and notify the government of any misdirected tax funds and return the credit entry to the IRS.
Impact on Financial Institutions
Under Title 31 Code of Federal Regulations, Part 210, RDFIs are required to notify the government of any misdirected tax funds and return the credit entry to the IRS. In addition, the Bank Secrecy Act (BSA) requires financial institutions to detect and report any suspicious credit activity.
So, while financial institutions are not in the direct line of fire for financial loss, they have compliance requirements to watch for and report transactions that would result from fraudulent tax refunds.
Description of the Scheme – Here’s how the scheme has typically worked:

1. The criminal obtains personally identifiable information (PII) on a taxpayer, such as their name, address, contact information, and Social Security Number, all of which has been exposed in the seemingly endless data breaches.
2. The criminal uses obtained PII to file a fraudulent tax return and claim a refund. Often he uses the same return and supporting documentation to file many fraudulent returns at the same time, simply changing personal details about the taxpayer.
3. As part of the filing, the criminal requests that the money be deposited directly into a bank account under his control or he has the funds loaded onto a prepaid debit card. The scheme does not require that the refund is deposited into the taxpayer’s own account, so the criminal does not need to have compromised an existing account, he only needs to create a new one.
4. The criminal withdraws the funds as soon as the tax refund has been credited to his account.

How to Detect Fraudulent Tax Refunds
This scheme will result in multiple suspicious credits to deposit accounts or to debit cards ­– in some cases hundreds of deposits to the same account – as criminals file many fraudulent returns at once. Suspicious characteristics could include large refunds to new accounts, identical deposit amounts to multiple accounts, or multiple deposits from the U.S. Treasury to the same account.
Also, many times the name on the tax return, i.e. the name under which the refund is issued, does not match the name on the deposit account or the debit card.
Guardian Analytics ACH ODFI & RDFI Fraud Detection monitors ACH receiving files to detect unusual or suspicious patterns between originators and recipients, high-velocity deposits to the same account, or mismatches between the name in the ACH credit and the name on the account. Guardian Analytics ACH ODFI & RDFI Fraud Detection detects unusual behavior by comparing activity not only to the account holder’s own historic behavior, but also to the behavior of the population as a whole, and to known fraudulent activity. It can detect suspicious credits without time consuming manual reviews and without writing and maintaining rules that result in a high volume of false positives.
Is this the year you’re going to step up to detecting these fraudulent deposits? We can help.