TurboTax fought back on Monday against allegations it has been knowingly letting cyber crooks file false tax returns, making millions in the process.
“These allegations are without merit and are based on these individuals’ misunderstanding of the facts and their mischaracterization of our business,” said a TurboTax blog post.
The ability to rapidly file taxes electronically and generate sham refunds before the feds notice is an increasingly lucrative business for cyber criminals. Internal Revenue Service (IRS) data reveals almost two million suspected incidents of electronic tax fraud in 2013, up from just under half a million in 2010, according to The Wall Street Journal.
Security blog KrebsOnSecurity reported on Sunday that two former security employees at Intuit believe the company is turning a blind eye to this type of flagrant online tax fraud because it generates big business.
“The reason fraudsters love this system is because they don’t even have to use stolen credit cards to do it,” said Robert Lee, a security business partner at Intuit’s consumer tax group who left the company in July. “What’s really going on here is that the fraud business is actually profitable for Intuit.”
Lee said Intuit refused to implement basic security policies to reduce cyber fraud. It allowed individuals to reuse the same Social Security number when filing taxes from different TurboTax accounts, and it didn’t stop one account from repeatedly filing tax returns.
“If I sign up for an account and file tax refund requests on 100 people who are not me, it’s obviously fraud,” Lee said. “We found literally millions of accounts that were 100 percent used only for fraud. But management explicitly forbade us from either flagging the accounts as fraudulent, or turning off those accounts.”
Shane MacDougall, a principal security engineer at Intuit until last week, has made similar allegations. He resigned to file an official whistleblower complaint with the Securities and Exchange Commission, according to KrebsOnSecurity.
In his complaint, MacDougall said management openly refused to reduce fraud because it would “hurt the numbers.”
Intuit strongly rebuffed the claims.
“Any suggestion that Intuit or any of its leaders made decisions to sacrifice customer security for financial gain doesn’t hold water,” Intuit said in its Monday blog post.
The company said it had hired “outside counsel” to review TurboTax executives' emails and documents after learning of the accusations.
“That review did not yield a single example where a deliberate decision was made to sacrifice customer security and privacy for financial gain,” Intuit said. “Because it doesn’t happen.”
There’s little financial incentive for the company to encourage individuals to file dozens of tax returns, Intuit continued.
“Intuit does not get paid through the refund transfer process unless the IRS accepts the return as valid and actually issues a tax refund,” it said.
Both the Senate Finance Committee and House Ways and Means Committee are investigating the overall spike in electronic tax fraud. Hearings on the topic are expected next month.