ID theft puppet master convicted of huge tax refund scam

The kingpin of a far-reaching identity theft scheme that targeted 16- and 17-year-olds, prison inmates and US soldiers – including some deployed to Afghanistan – has finally been convicted after his case wound through the courts for years.

The scam, which dragged on for three years and netted $9 million worth of ill-gotten gains, involved names of fake tax-preparation businesses, tax-refund bank products such as blank-check stock, and mail-route addresses to send the fraudulent IRS refund checks to, provided courtesy of paid-off US postal workers.

The ID theft ring may have raked in a total of $9 million, but it used its victims’ identities to try to claw a whole lot more – $26 million – out of the US Internal Revenue System (IRS).

The US Department of Justice (DOJ) on Thursday announced that the guy pulling the strings – William Anthony “Boo Boo” Gosha III, of Phenix City, Alabama – had been found guilty of one count of conspiracy, three counts of wire fraud, 22 counts of mail fraud and 25 counts of aggravated identity theft.

According to the DOJ, between November 2010 and December 2013, Gosha ran the huge identity theft ring with his co-conspirators, Tracy Mitchell, Keshia Lanier, and Tamika Floyd. His cronies were all previously convicted and sentenced to prison.

In fact, Tracy Mitchell and Tamika Floyd were two of eight defendants sentenced in a related stolen identity refund fraud (SIRF) case: the DOJ announced in August 2015 that eight defendants, including Mitchell and Floyd, were sentenced to serve a collective total of more than 31 years in prison for having filed over 8,800 tax returns with the Internal Revenue Service (IRS).

Gosha’s scheme started in November 2010, when he stole IDs from inmates of the Alabama Department of Corrections. He sent the IDs on to Lanier, who used them to file bogus tax refunds. Gosha and Lanier agreed to split the proceeds, the DOJ says.

Gosha also stole employee records from a company previously located in Columbus, Georgia.

In 2012, Lanier was hungry for more ripped-off identities, so she hit up Floyd, who worked at two Alabama state agencies: the Department of Public Health and the Department of Human Resources.

Both of those jobs gave Floyd access to the personal identifying information (PII) of individuals, including teenagers. Lanier specifically asked for PII of 16- and 17-year-olds. Floyd went along with it and forked over thousands of names.

After he got the names, Gosha recruited Mitchell and her family to help file the returns. Mitchell worked at a hospital in Fort Benning, Georgia, where she had access to the PII of military personnel, including soldiers who were deployed to Afghanistan. So into the grinder went the soldiers’ IDs, and out came the sausage of yet more fraudulent tax refunds.

In order to electronically file all these bogus tax returns, Gosha, Lanier and other co-conspirators applied for several Electronic Filing Identification Numbers (EFINs) with the IRS in the names of sham tax preparation businesses. An EFIN is a number the IRS assigns to tax preparers that are accepted into the federal/state e-file program. To become an authorized IRS e-file provider, tax preparers have to submit an application and undergo a screening process.

The DOJ didn’t explain how the crooks got their hands on valid EFINs for fake tax preparers, but last month, the IRS warned tax preparers that cybercrooks are increasingly targeting tax pros to get taxpayer data so they can file fake tax returns and EFINs so they can come off as real tax preparers.

The crooks target tax pros with the same attacks they use on the rest of us. The IRS’ “Don’t Take the Bait” educational series has tips for avoiding getting targeted by spear-phishers, ransomware, and remote-access takeover attacks, for example.

With EFINs in hand, Gosha, Lanier, and their co-conspirators not only filed fake returns; they also managed to get the right kind of paper from banks to print out refund checks. The fraudsters then printed out the bogus refund checks using the blank check stock – until, that is, the banks figured out something was up and stopped their ability to print the checks.

That’s when Gosha’s gang got US Postal employees in on the scheme. They paid the employees for addresses from their postal routes, had refund checks mailed to those addresses and got the postal workers to intercept the checks for them. Gosha also funneled tax refunds into prepaid debit cards, had them sent to addresses he could access and used the prepaid cards to cash out the money.

But wait, there’s more! Besides that theft ring, Gosha had another stolen ID refund scheme going with Pamela Smith and others. In that one, which he worked from January 2010 until December 2013, Gosha sold the inmates’ IDs he stole from the Alabama Department of Corrections to Smith and others. Smith and others used the IDs to file returns that went after some $4.8 million in fake refunds, of which the IRS paid out about $1.85 million. Smith was previously convicted and sentenced to prison.

Gosha’s sentencing date hasn’t yet been set. He’s facing a maximum of 10 years for the conspiracy to file false claims, 20 years for each count of wire and mail fraud, and a mandatory minimum sentence of two years for the aggravated ID theft. He’ll also be looking at paying back the money.

Of course, we’ve all got to watch out for attempts to get our PII, which can be used to file fake tax returns in our names. But Gosha’s gang didn’t pick off individuals one by one by targeting them with spear-phishing email or the like. They didn’t have to. From the sounds of it, they had, and abused, privileged access to captive audiences: prisoners (a group that Gosha will soon be joining), soldiers in hospitals and people who have their data stored in state agency databases – a group otherwise known as “everyone.”