Back to Resources

Interview: IRS Combats Fast-Changing Cybercrime with Advanced Data, Key Partnerships – and Constant Vigilance

  • Blog
  • Financial Services

We are pleased to welcome Jarod Koopman, Director, IRS – Criminal Investigations (CI), for a two-part Q&A session, as part of our thought leadership series with industry experts and regulators.

Q: As we’re nearing the final phase of the pandemic, what are the top indicators or red flags of fraud you see at the IRS-CI? What are the most important data points indicating fraud has occurred?

A: IRS-CI often assists our civil operating divisions by providing insights and methodologies to build out their filters for ID theft and identifying clusters. This includes, for example, changes to electronic filing identification numbers (EFINs), mismatches between filings states/IP addresses, and clusters associated with emails.

Additionally, CI has recently seen a large uptick in cybercrime during the pandemic. With more people working remotely and being online for longer periods of time throughout the day, there has been a high volume of ransomware attacks, data breaches, remote access attempts, and phishing. The primary motivator behind these attacks are obtaining personally identifiable information (PII) and using that information to claim false benefits (EIP/stimulus/tax filings/PPP loans/unemployment insurance).

Since the information is valid data, it becomes extremely hard for the IRS to identify fraudulent filings. This is why new methods of identification and clustering are required. We look at device ID, IP addresses, physical location, time lapse between filings, etc. We continue to partner with other agencies like the Small Business Administration (SBA) and Bureau of the Fiscal Service to monitor COVID-related loans and payments to ensure proper allocation of funding.

The IRS, as a whole, has really stepped up efforts when it comes to return preparer fraud and ID theft. Our civil filters have advanced tremendously and are catching a great deal of the attempted efforts by criminals to use stolen PII for fraudulent refunds on a mass scale. We have mechanisms, automated aspects, and built-in components to screen and address issues in real-time. On the backend, the process to resolve accounts is much faster and allows victims to return to normalcy.

Identity Theft Remains Top Priority, but with a Cyber Focus
ID theft remains our priority. We’ve seen ID theft becoming more cyber-focused. Whether they’re using remote access/RDP, brute force, ransomware, cloud service hacks, or business email compromise, criminals are gaining access to networks and servers of data-rich entities – hospitals, universities, return preparers – and stealing their data. Among these methods, the common theme is the source’s vulnerability or lack of security. We do a ton of outreach trying to educate companies on proper security protocols and management. Understanding IoT and threat vectors is crucial to infrastructure and cybersecurity.

From a cybercrime perspective, we remain focused on the dark web markets, illicit exchanges and underreporting of cryptocurrency. Using our internal data sources, third-party tools and open-source intelligence, we’re able to focus on potential areas of non-compliance and determine potentially illicit activities. Working globally with our foreign partners, and domestically with the other law enforcement agencies, the government has done a tremendous job of uncovering the criminal elements tied to our growing online world.

Crime-as-service – separation between the groups operating/orchestrating the schemes – used to be one integrated, organized crime group. Although those still exist, this federated service aspect creates another challenge since the hackers aren’t necessarily tied to the money mules who don’t really interact with those calling the shots. But everyone’s getting paid, and that’s why the financial trail and tracing components become critical.

Q: How could advanced location signals beyond IP – device fingerprinting, for example – help improve the financial sector’s fraud detection capabilities?

A: I think there’s a great benefit to the financial sector in partnering with third-party companies to develop and institute advanced location signaling. Many marketing companies and other affiliated businesses are already using these tools. Whether it’s geolocation data via opt-in applications or embedded metadata in photos (such as a remote check deposit) or other mechanics, advanced location signaling provides another critical data point that gives insight into the legitimacy and validity of transactions. Additionally, knowing that certain foreign adversaries may present increased threats would allow the ability to block any specific locations or to prevent transactions from occurring when hiding beyond anonymous technology, such as VPNs, Tor, and relayed proxies.

Q: What are the most common types of financial crime impacting the financial sector?

A: Our mission is to conduct the best and most effective investigations across our priority areas – tax evasion, identity theft, money laundering, organized crime, narcotics, terrorism financing, and cyber. For all those areas, there is a demand for traditional finance. Even in this increased crypto-environment, criminals still need exchanges and off-ramp capabilities.

At IRS-CI, we still see a great deal of money laundering across all aspects of fraud. This impacts the financial sector and puts more emphasis on proper Know Your Customer (KYC) and anti-money laundering (AML) components to ensure proper transactional activity. The ability of criminals to create fictitious entities, synthetic IDs and mask beneficial ownership creates a significant challenge to understand who is really behind the transactions.

To Keep Crypto from Criminals, Lawmakers Must Regulate and Collaborate
Cryptocurrency has become another mechanism used for tax evasion and laundering – but it’s not the main one. There’s a ton of legitimate use for crypto, and it provides great solutions for the financial industry, healthcare, data, and investments. But it’s important the proper framework and controls exist to prevent the use of crypto for illicit activities.

As crypto becomes more mainstream, we need to ensure adequate tax compliance and AML practices are in place. Efforts from organizations like OECD, FATF and others continue to make progress in AML, information reporting and controls over exchanges and money services businesses (MSBs). This will be crucial to compliance and stopping threats of illegal activity within this space.

The challenge occurs when exchanges have the ability to set up anywhere in the world, and sometimes within certain countries that provide lenient laws or little regulation, which allow ease of entry. From a law enforcement standpoint, we are hopeful that governments, global agencies and regulators can work together to provide some framework to capture the majority of activity in this space. This would force the criminal activity into a corner – and we would know where to look.

Stay tuned for part 2 of our conversation with Mr. Koopman next week!