Although Benjamin Franklin stated that the only two things that are certain in life are death and taxes, contemporary cyber criminals repeatedly attempt to deny the truthfulness of this proverb by hacking electronic systems containing tax-related information.
The purpose of this article is to discuss the most common tax evasion hacks. More specifically, the article will examine tax refund fraud using stolen tax information (Section 2), hacks of cash registers (Section 3), and unlawful modification of tax records (Section 4). Finally, a conclusion is drawn (Section 5).
2. Tax refund fraud using stolen tax information
The U.S. Internal Revenue Service (IRS) anticipates that more than 70% of the U.S. taxpayers will receive tax refunds in 2016. In 2015, the average refunded amount was USD 2.797. U.S. taxpayers may choose to receive their tax refunds by using one of the following three methods: (i) a direct deposit to taxpayer’s bank account; (ii) a check mailed to taxpayer’s address, and (iii) having the refund applied to the subsequent tax year. The refunds from electronically filed returns come in about three weeks.
By obtaining unauthorized access to taxpayers’ personal financial information, hackers can receive a large number fraudulent tax refunds. For example, in 2015, criminals stole from the IRS personal financial information of more than 100.000 people. The hackers exploited a security vulnerability in the IRS online service “Get Transcript”. The service allows taxpayers to download a large number of tax forms, such as tax forms related to college financial aid and mortgage applications. To obtain personal information submitted through the “Get Transcript” service, the crooks used previously stolen U.S. taxpayers’ sensitive information, such as physical addresses, birthdays, and social security numbers. According to the IRS Commissioner John Koskinen, the attack used sophisticated schemes. In this regard, he said: “We’re dealing with criminals with a lot of money and using expensive equipment and hiring a lot of smart people.” The IRS believes that the breach originated in Russia.
It is worth mentioning that the IRS is constantly criticized for insufficient protection of taxpayers’ data. For example, in 2009, the Government Accountability Office (GAO) released a report outlining several issues related to IRS’ handling of taxpayer data. The report concluded that: “information security weaknesses-both old and new-continue to impair the agency’s ability to ensure the confidentiality, integrity, and availability of financial and taxpayer information. These deficiencies represent a material weakness in IRS’ internal controls over its financial and tax processing systems“. The information security loopholes identified by the GAO include, but are not limited to, (i) weak password protection policies, (ii) the possibility to access sensitive data (e.g., passwords and user IDs) by any user in IRS’ networks, (iii) and inadequate logging of security events.
The IRS is not the only target for tax refund fraudsters. Numerous other finance-related institutions are targeted for tax return hacks, including accounting firms, providers of payment services, and credit institutions. By way of illustration, four major U.S. accounting firms suffered from the theft of more than 1.000 tax filing declarations in 2011. The cyber fraudsters who committed the theft used the stolen information for submitting fraudulent tax refunds and depositing them in reloadable payment cards registered in the name of the victims.
3. Hacks of cash registers
By hacking cash registers and manipulating their memory, fraudsters can avoid payment of various taxes, e.g., income tax, VAT, and sales tax. A study conducted by the Organization for Economic Cooperation and Development (OECD) reveals that, by using unlawful sales suppression, Canadian restaurants alone avoid taxes amounting to USD 2.4 billion per year.
The hacks of cash registers are usually performed through employing technologies known as zappers or phantom-ware. Zappers are physical devices that allow crooks to prevent sales transactions from appearing on business’ financial records. Phantom-ware is software which creates virtual sales terminals. While a zapper is more likely to be placed on the server in a point-of-sale system, phantom-ware most often inhabits stand-alone cash registers. The sophistication of zappers and phantom-ware is such that these systems can bring inventory and employee time records into line with the deletions. According to Boston University Professor Richard Ainsworth, zappers are “nearly impossible to detect” when installed properly.
To illustrate how zappers and phantom-ware work, we will discuss two cases, namely, a U.S. case involving Stew Leonard’s Dairy (Section 3.1) and a Dutch case concerning café Dudok in Rotterdam, the Netherlands (Section 3.2). Next, we will discuss the measures for prevention of hacks of cash registers (Section 3.3).
3.1 Stew Leonard’s Dairy case
This case is considered to be “[t]he largest criminal tax case in the history of Connecticut.” Stew Leonard’s Dairy, a Connecticut grocery chain, plays the main role in the case. Stew Leonard’s Dairy used zappers to skim an estimated USD 16 million in receipts over a period of ten years. The cash was physically relocated to St. Martin, an island in the northeast Caribbean. According to the Second Circuit Court, to conceal the fraud, the defendants used software that altered the store’s sales data to account for the skimmed cash. The software did not leave any audit trails indicating the modifications of sales data. The Connecticut Superior Court explained the operation of the software as follows: “As an example, the program was designed to say that today’s criteria for the sale of cucumbers would be 50 units. If more than 50 units of cucumbers were sold, the excess was diverted into the Equity Program. The Equity Program scanner went through every single item that was sold that day. The amount diverted was spread over a wide spectrum of products. Some calculations amounted to pennies per item.”
3.2 Café Dudok case
The Dutch tax authorities found that the café Dudok based in Rotterdam uses a cash register program for reducing business turnovers. The program allowed Dudok’s employees to delete receipts through hidden software functionality. Such option was neither officially described in the manual accompanying the cash register program nor included in the regular user interface. The receipts that were deleted through the hidden software functionality were removed from the cash register permanently. Therefore, the owners of the café were able to reduce their tax dues by lowering the amount of generated income. The District Court of Rotterdam found that the existence of such unofficial function is a sufficient indicator of a tax fraud. The reasoning of the court follows: “In view of the special characteristics of the hidden option and the existence of the program’s other features for making adjustments, the court cannot imagine any other purpose for the hidden option than the illegal manipulation of turnover figures. The court is therefore firmly convinced that the defendant, as the seller, was aware of this. By selling the software to a catering establishment, the defendant knowingly and willfully accepts the considerable chance that the buyer will use the program to delete turnover to conceal it from the Internal Revenue Services, with all associated tax consequences.”
3.3 Measures for prevention of hacks of cash registers
The measures for prevention of hacks of cash registers can be divided into three categories, namely, mandatory certification of cash registers, audits of cash registers, and insertion of smart cards in cash registers. Below, these three categories are examined in more detail.
Mandatory certification of cash registers
By requiring the taxpayers to certify their cash registers, tax authorities will ensure that the certified cash registers are not affected by phantom ware and zappers. For example, the persons responsible for the certification can calculate the checksum value for the object code of the firmware installed on the certified cash registers. Thus, they will be able to find out if the object code is modified after the certification of the cash register.
Audits of cash registers
Comprehensive audits of the recordkeeping systems of businesses may reveal the presence of phantom ware or zappers. A comprehensive audit focuses not only on the information in the cash registers, but also on employment taxes, consumption taxes, and income taxes.
Insertion of smart cards in cash registers
By inserting critical data from cash registers on smart cards which are securely embedded in the cash registers, tax authorities will have access to modified and deleted transactional information. One of the advantages of this solution is that the governmental authorities can conduct remote audits, e.g., the data from the smart cards can be sent to the tax authorities by email. It is worth mentioning that the data on the smart cards is encrypted. Thus, the users of the cash registers are unable to modify it.
4. Unlawful modification of tax records
Unlawful accessing, stealing, and deleting of financial information are not the only methods used by cyber criminals that specialize in the field of tax evasion hacks. Hackers may also modify the information that is stored in the database of the tax authorities. For example, fraudsters hacked the system of the Uganda Revenue Authority (URA) and fraudulently facilitated the customs clearance of 200 vehicles. The hackers were arrested in a car that was located in close proximity to the URA premises while committing the hack. The crooks had laptops connected to URA’s network.
Ethical Hacking Training – Resources (InfoSec)
The attack on URA’s Automated System for Customs Data (ASYCUDA) is not the only attack on customs’ system aiming to modify governmental tax records without authorization. Similarly, the Nigeria Customs Service (NCS) was hacked by fraudsters who used stolen passwords of customs officers. As a result of the hack, the government of Nigeria lost billions of Naira (the currency of Nigeria). To increase system security and prevent future cyber-attacks, the NCS employed biometric systems. From 2012, Nigerian Customs agents use biometric cards for identification and performance of their operations. It should be noted that, in 2014, Nigeria introduced biometric national identity cards. By 2019, all Nigerians will be obliged to have biometric national identity cards containing (i) information about ten fingerprints, (ii) a facial photo, and (iii) an iris capture.
Payment recording systems and systems processing personal information about millions of taxpayers are increasingly attractive targets for cyber criminals. In order to decrease the number of tax-evasion hacks, tax authorities need to enhance information security awareness in the following areas: (i) identification of information security vulnerabilities which may be used for conducting such hacks; (ii) elimination of the identified information security vulnerabilities; and (iii) creation and implementation of comprehensive information security programs on the basis of the most advanced information security standards.
- Ainsworth, R. T., ‘Electronic Tax Fraud-Are There ‘Sales Zappers’ in Japan?’, Boston University School of Law & Economics Paper 08-31, 2008. Available at http://www.bu.edu/law/workingpapers-archive/documents/ainsworthr102708.pdf .
- Ainsworth, R.T., ‘Zappers & Phantom-Ware: A Global Demand for Tax Fraud Technology’, Social Science Research Network, 2 June 2008. Available at http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1139826 .
- Bagala, A., ‘How hackers accessed URA system to defraud Shs2.4 billion’, Daily Monitor, 25 October 2015. Available at http://www.monitor.co.ug/News/National/How-hackers-accessed-URA-system-to-defraud-Shs2-4b/-/688334/2928242/-/item/1/-/1c2pl/-/index.html .
- Becker, B., ‘IRS chief: Hackers seek fraudulent returns in 2016′, The Hill, 6 February 2015. Available at http://thehill.com/policy/finance/243734-irs-chief-criminal-tax-scheme-focused-on-next-year .
- Collins, K., ‘The IRS is using a system that was hacked to protect victims of a hack—and it was just hacked’, Quartz, 1 March 2016. Available at http://qz.com/628761/the-irs-is-using-a-system-that-was-hacked-to-protect-victims-of-a-hack-and-it-was-just-hacked/ .
- ‘Customs suspends officers over hacking of data system,’ Vanguard, 13 April 2011. Available at http://www.vanguardngr.com/2011/04/customs-suspends-officers-over-hacking-of-data-system/ .
- District Court of Rotterdam, LJN: AX6802 (Jun 2, 2006). Available at http://zoeken.rechtspraak.nl/resultpage.aspx?snelzoeken=true&searchtype=ljn&ljn=AX6802 .
- Frates, C., ‘IRS believes massive data theft originated in Russia’, CNN Politics, 5 June 2015. Available at http://edition.cnn.com/2015/05/27/politics/irs-cyber-breach-russia/.
- Geuss, M., ‘MasterCard-backed biometric ID system launched in Nigeria’, Ars Technica, 3 September 2014. Available at http://arstechnica.com/business/2014/09/mastercard-backed-biometric-id-system-launched-in-nigeria/ .
- ‘Information Security. Continued Efforts Needed to Address Significant Weaknesses at IRS’, United States Government Accountability Office, 2009. Available at http://www.gao.gov/new.items/d09136.pdf .
- ‘IRS Ready to Start 2016 Tax Season; Encourages use of IRS.gov and e-File; Works with States, Industry on Identity Theft Refund Fraud’, U.S. Internal Revenue Service, 14 January 2016. Available at https://www.irs.gov/uac/Newsroom/IRS-Ready-to-Start-2016-Tax-Season-Encourages-use-of-IRS-gov-and-e-File-Works-with-States,-Industry-on-Identity-Theft-Refund-Fraud .
- Kiyonga, D., ‘Uganda Revenue Authority hackers jailed 12 years’, The Observer, 4 April 2013. Available at http://observer.ug/business/38-business/24589–uganda-revenue-authority-hackers-jailed-12-years .
- McCoy, K., ‘Cyber hack got access to over 700,000 IRS accounts’, USA Today, 26 February 2016. Available at http://www.usatoday.com/story/money/2016/02/26/cyber-hack-gained-access-more-than-700000-irs-accounts/80992822/ .
- ‘Most Recent IRS International Hacking Reveals Vulnerability’, Procedurally Taxing, 28 May 2015. Available at http://www.procedurallytaxing.com/most-recent-irs-international-hacking-reveals-vulnerability/ .
- Pagliery, J., ‘Criminals use IRS website to steal data on 104,000 people’, CNN Money, 26 May 2015. Available at http://money.cnn.com/2015/05/26/pf/taxes/irs-website-data-hack/ .
- Pauli, D., ‘Businesses use fraud software for tax scam’, IT News, 8 April 2013. Available at http://www.itnews.com.au/news/businesses-use-fraud-software-for-tax-scam-339060 .
- ‘URA Computer System Hackers Nabbed,’ Uganda Revenue Authority, June 2012. Available at https://www.ura.go.ug/download/CGMS/hackers_article.pdf .
- Vijayan, J., ‘IRS Taxpayer Data is Insecure’, PC World, 18 January 2008. Available at http://www.pcworld.com/article/157895/irs_data_insecure.html .
- Zambito, T., ‘Bulgarian hacker admits role in $6M IRS refund scheme, feds say’, NJ.com, 6 July 2015. Available at http://www.nj.com/news/index.ssf/2015/07/bulgarian_hacker_admits_role_in_6m_irs_refund_sche.html .
Rasa Juzenaite works as a project manager in an IT legal consultancy firm in Belgium. She has a Master degree in cultural studies with a focus on digital humanities, social media, and digitization. She is interested in the cultural aspects of the current digital environment.