A Georgia couple are in jail after admitting to a scam to file fraudulent tax returns by exploiting the Internal Revenue Service’s (IRS’s) hacking-plagued “Get Transcript” site.

According to a press release from the US Department of Justice (DOJ), a Georgia judge sentenced Anthony Alika, 42, to 80 months in prison and 3 years of supervised release.

His wife, Sonia Alika, 27, is looking at 21 months in prison, followed by 3 years of supervised release.

Mr. and Ms. Alika were also ordered to pay $1,963,251.75 and $245,790.08, respectively, in restitution to the IRS.

Anthony Alika pleaded guilty in April to one count of conspiracy to commit money laundering, while Sonia Alika pleaded guilty to one count of illegal structuring of cash withdrawals to evade bank reporting requirements.

US Attorney John A. Horn, of the Northern District of Georgia, was quoted in the sentencing press release as saying that the fraud conspiracy “featured a literal highlight reel of our current economic crime threats, including cyber intrusions, identity theft, phony tax returns and money laundering, all to the order of millions of dollars.”

These schemes create nightmares for citizens who endure the process of repairing their credit and IRS returns, and this case reflects law enforcement’s commitment to punish these criminals and do all we can to prevent further victims.

Principal Deputy Assistant Attorney General Ciraolo said that the couple, “driven by greed and a fast buck,” laundered more than $1 million stolen from the US Treasury in the form of bogus income tax returns, filed with data illegally obtained from the IRS Get Transcript database.

Get Transcript is a service that allows taxpayers to retrieve details of their past tax returns.

In May 2015, news came that hackers had compromised 100,000 IRS tax accounts using data stolen from Get Transcript.

Get Transcript enables taxpayers to view “line-by-line tax return information or wage and income” for a given tax year.

At the time, the IRS reported that the attackers were able to easily bypass the authentication system despite it requiring a significant amount of personal information, including the taxpayer’s Social Security number, date of birth, address and tax filing status.

As we noted then, a knowledge-based authentication system such as this is highly susceptible to fraud because the vast majority of information it’s based on remains the same throughout the taxpayer’s lifetime.

A crook can readily get much of that information from a variety of legitimate sources as well as from the dark web, where crooks go to sell data they get from other breaches.

After hackers got access to Get Transcript in that 2015 breach, they downloaded transcripts and proceeded to file bogus tax returns, fleecing the IRS for a total amount close to $50 million.

Last month, the IRS threw in the towel on another knowledge-based authentication system: that of the repeatedly hacked PIN system.

It wasn’t a surprising move, given the “additional questionable activity” it had recently seen around its electronic filing PIN tool (e-File PIN), formerly available on or by toll-free phone call.

Additional, as in, on top of 800 identity thefts that had already caused the IRS to suspend the PIN system in March 2016 (though it told taxpayers who already had an IP PIN at the time to continue to file their tax returns as they normally would).

According to the Alikas’ indictment, the couple, along with Rapheal Atebefia, 33, also of Austell, Georgia, allegedly used actual people’s information – including their names and social security numbers – to access Get Transcript.

Then, Anthony Alika, Atebefia and unnamed others got prepaid debit cards from stores in multiple states, registered the cards in the names of the stolen identities, filed false income tax returns using the stolen identities and the Get Transcript-derived information, and directed the IRS to deposit the tax refunds onto these cards.

They allegedly used the prepaid debit cards to purchase money orders that they deposited into bank accounts. Then, the conspirators withdrew money in amounts under $10,000, in order to evade the bank reporting requirements.

Anthony Alika admitted to laundering over $1.5 million this way. His wife, Sonia, admitted that between February and June 2015, she withdrew more than $250,000 from multiple bank accounts, again in amounts less than $10,000 to prevent the bank from filing cash transaction reports.

In June, Atebefia was sentenced to serve 15 months in prison, followed by three years of supervised release.

The trio, plus whoever else they conspired with, didn’t exploit a technical flaw in the Get Transcript site itself. Rather, they took advantage of weak authentication requirements that were easy for fraudsters to slip past if they were already armed with people’s personal information.

To protect yourself from tax refund criminals, the Feds advise people to file tax returns early, before the crooks beat you to the punch. What’s more, make sure to use usernames and passwords on tax-related websites that are tough to guess – or on any site, for that matter.

From the DOJ’s press release:

Many tax fraudsters depend for their success on filing a fraudulent return with a stolen identity before their victims file their genuine returns. Filing early and avoiding use of obvious usernames and passwords for online tax websites are two ways to help protect yourself.