Some taxpayers spend years trying to get what's owed them after a fraudulent return has been filed, said Litan, Gartner's resident fraud expert. "And some people need that money immediately," she added.
Well-organized criminal groups mine a wide variety of sources to assemble identity-theft profiles, then sell those collections to others who generate fake tax returns. "The kind of data needed to fake a return is the kind of data stolen from Anthem," Litan said, referring to the recent breach acknowledged by one of the U.S.'s largest health insurers.
Anthem, which has 37.5 million subscribers to its health plans, is better known by the names of its affiliates, such as Blue Cross Blue Shield and Amerigroup.
"The bad guys go anywhere they can to get this data," said Litan. Prime sources include credit bureaus -- a subsidiary of credit-monitoring company Experian was hacked last year, with 200 million personal records stolen -- interceptions of mobile app log-ons, and classic phishing attacks, where consumers are duped into giving up usernames and passwords after receiving clever emails.
In fact, Intuit has posted six phishing alerts on its security page in the last three days, almost as many as for the year as a whole through Feb. 6.
Fraudsters who purchase identity portfolios, said Litan, often automate the return-generation process, spewing out huge numbers of fakes that simply overwhelm unprepared tax collection agencies. South Carolina, for example, has reportedly isolated 96,000 returns filed through TurboTax. Last Friday, the South Carolina Department of Revenue said it was reviewing a "significant number" of 2014 returns, asserted that its network had not been hacked, and blamed "issues related to third-party commercial tax preparation software."
But in 2012, the same department announced that 3.9 million tax returns had been exposed after a breach.
Fraud detection systems, which the IRS and states use to quarantine potentially-fake returns, aren't sufficient to stamp out the problem, said Litan. "They use big data analytics from companies such as SAP and Palantir," she said. Intuit has brought in the latter to analyze fraud activity. "But they're all post-mortem, in that they're looking after the fact."
Those detection systems are used to create block lists to stop future fraud, Litan added.
"Tax agencies need a layered approach," she said. "They need more ID proofing, they need to get away from static information, which has all been compromised, and toward behavioral and contextual information."
Monitoring the geographic location of the taxpayer's log-in would be an example of dynamic ID proofing, Litan said, if tax collection agencies compared this year's locale to that of previous e-filed returns.
"But the criminals are getting better and better," she warned. "They're putting as much as they can together on as many people as they can."
Sign up for CIO Asia eNewsletters.