TurboTax user hacked, gets bank account frozen after IRS refund scam: Money Matters
2018-02-11 | Source: Teresa Dixon Murray
Q: My bank account was frozen last week because someone deposited checks into my account that I knew nothing about! I went to my bank, obtained copies of the checks that were deposited and they were not even signed by me. One is a check from the U.S. Treasury for $976.10. The other is a cashier's check from Chase for $550. It appears the checks were mobile deposited. I have no idea how.
I filed a fraud claim with the bank, SunTrust. However, when I asked if the fraud department would track the phone used, as well as compare my signature with the deposits, I was told the bank would just close my account and terminate the relationship with me! In other words, the assumption is because the deposit came through the mobile app, that I did it! What's baffling is that no one has tried to fraudulently withdraw money from these deposits.
But my paycheck deposits have been frozen. I can't pay my bills. But my bank apparently isn't really interested in investigating and won't explain to me what's going on. Can you help?
K.M., Baltimore, MD
A: This is a fantastical tale that, 15 or 20 years ago, I might have had trouble believing. If there's anything I've learned, it's that bad guys have an amazing ability to find dishonest ways to get money. But I believed every word you told me and have made a lot of calls.
One detail that you mentioned in our follow-up conversations: You had just filed your income tax return through TurboTax three days before these deposits.
Indeed, the Internal Revenue Service says there's a new scam that is frightening because there's nothing we can do to stop it on the front end.
Here's how the fraud works, says IRS spokesman Luis Garcia:
Bad guys hack information on unsuspecting victims, in some cases through tax software providers or tax preparers. Among the information stolen: Bank routing number and account information.
Bad guy files fraudulent return in someone's name with a refund due.
Refund from IRS/U.S. Treasury gets deposited into the bank account of unsuspecting victim.
A couple of days later, someone involved in the scam calls the victim and poses as the IRS or a debt collector. Says a deposit was made by mistake and the consumer needs to wire the money back, and gives them the wire information. Except that it's not to the IRS /U.S. Treasury. It gives the money to the bad guys.
At some point later, the IRS realizes the deposit was fraudulent and pulls the money back out of the account. You're screwed.
In an email to you, an investigator at the U.S. Treasury said she researched the check that was deposited in your account and confirmed that the check was not issued to you. It was issued to someone else and the name and address were changed to your information and the amount was altered.
Garcia said this is an "emerging" scam and is urging tax preparation professionals to step up security and beware of phishing emails that can download software that helps thieves steal client data.
The IRS is seeing lots of cases in the last couple of weeks involving people who haven't filed their returns yet and somehow get targeted to get refunds fraudulently deposited into their accounts.
Break out the Tums. The IRS has an ominous warning: "This scheme is likely just the first of many that will be identified this year as the IRS, state tax agencies and tax industry continue to fight back against tax-related identity thieves," the IRS said in a statement. As the good guys shut down some tactics, the bad guys develop new ones.
Now, there are a few aspects of your case that break away from the basic scam the IRS is seeing. First, you had two checks deposited -- one from the U.S. Treasury, the other a cashier's check from Chase. Second, these checks apparently were mobile-deposited, not deposited in person or as an electronic deposit.
The mobile deposit component is unnerving. How could some bad guy hack your personal information, AND your bank account information AND your mobile deposit information? Oh, let's see: Let's combine an Equifax data breach with a TurboTax hack with cases we've seen of thieves hacking bank mobile apps (reports involving banks such as Chase and Wells Fargo) and hacks involving biometric sign-ins on smartphones and ATMs.
Bottom line: Just about anything is possible when it comes to identity theft, hacking and bad guys who are motivated to steal our money.
I believe your case is somehow linked to you having just filed your income tax through TurboTax three days before the nightmare started. But by no means is someone not potentially at risk even if they do their income tax return with pencil and paper (like my mom still does) and never come anywhere near a bank mobile app.
Maybe you had a virus on your computer. Or maybe some of your information was stolen through TurboTax and some was stolen through another means. That still doesn't explain how the checks were deposited. I believe that among all of the players investigating this, we'll figure it out.
At Intuit/ TurboTax, Rick Heineman, vice president of corporate communications, said it is aware of the new IRS scam but doesn't believe your case involves your TurboTax account, for a few reasons. He may or may not be correct. To TurboTax's credit, they're willing to try to help you sort this out, Heineman said. TurboTax is offering a list of tips for all consumers: https://security.intuit.com/
SunTrust clearly couldn't discuss your case with me, but said it would have the appropriate department look into why your account was shut down and get in touch with you.
I can offer a few tips to try and prevent nightmares like this for customers of any bank:
Protect your bank account information like it's your Social Security number or ATM PIN or email password. Don't store the information for your primary checking account on websites like PayPal or Amazon or other non-bank entities. Avoid giving checks from your primary account to individuals or companies such as home contractors, dog groomers, etc. that you don't know well.
Sign up for account alerts through your bank so that you're notified of every deposit, every cash withdrawal, any new payee, etc. You can choose to get these notifications by text or email.
Check your bank account every day. Make it part of your morning or evening routine.
Don't set your bank account password (either online or mobile) as something guessable or researchable, and don't use a password you use for any other site. Don't sign in to your bank account either through a laptop or your phone through an unknown network. Best bet: Stick to your personal WiFi in your home.
If someone calls you and requests that you wire them money from a supposed mistaken deposit, don't do it.
The IRS says that if an unknown deposit is made into your account, you should contact the appropriate department of your bank (ACH, automated clearing house) and have them return the deposit to the IRS or whoever it's from. I'd go to your bank branch in person; don't call customer service. In the case of an IRS refund, you should then call the IRS at 800-829-1040 (pack your patience) and explain why the direct deposit is being returned.
Finally, I frankly don't understand why SunTrust froze your account, especially without explanation. It would have made a lot more sense -- since you raised this problem to them -- that they may have frozen it temporarily to protect you from any more fraudulent deposits or possible fraudulent withdrawals. But I don't understand why it wouldn't have worked with you to transfer your money to a new account with a new number. It's inexcusable that SunTrust cut off your access to your own money without explanation.
SunTrust spokesman Hugh Suhr declined to say whether the bank was aware of this new scam but said the bank, which is the 10th-largest U.S. retail bank with $200 billion in assets and 1,300 branches mostly in the Southeast, is "constantly in contact with various agencies and industry associations to monitor trends in fraudulent activity."
Suhr offered a link to SunTrust's resource center concerning fraud and security, but it was very general and didn't include obvious bullet points for dealing with situations like yours. https://www.suntrust.com/fraud-and-security-department