On Q Professional Investigations

Your personally identifiable information (PII) is all around you, and much of it is impossible to protect. While your driver’s license and Social Security numbers are a significant part of the equation, you can take certain protective measures to keep those from prying eyes. Unfortunately, that’s not the case when it comes to more visible forms of PII—like your birthday, email address, home address and even your name. There are criminals out there who see you as their day job, and they know how to use the most gettable pieces of your PII, like your name, to commit crimes.

The fact is, most everyone will experience some form of identity-related compromise during their lifetime. Yes, you most likely will become a victim. The crimes are often hard to detect, but they happen all the time, and there is absolutely no service out there that can give you complete protection from identity-related crimes.

Here are a few ways you can get scammed that only require the clever application of a name, the most basic piece of your PII.

The Grandparent Scam

The first complaints of this scam were logged by the Internet Crime Complaint in 2008, but as the FBI reports, fraudsters working the senior circuit are becoming more sophisticated, using PII gleaned from social media sites to hone their performance.

Typically, a call comes from overseas either late at night or early in the morning, when people aren’t thinking as clearly as they might. The caller poses as a grandchild in trouble. There is a request for money, and a plea for secrecy: “Please don’t tell mom and dad! They’ll kill me.” Sometimes an attorney or “an arresting officer” makes the call. Money is wired, and fairly soon after that, the victim comes to realize that he or she has been had.

Variations on the scam include military personnel on leave and friends calling friends. With an increasing number of people oversharing their information on social media, it’s not difficult to figure out who will help whom, and when they’re away.

What to do: Tighten your privacy on social media; don’t share details about vacations, and when anyone asks for money over the phone—even a “family member”— stop, think and don’t allow your emotions to drag your good sense and wallet to Western Union.

The Package Scam

Many crimes considered “identity-related” were being perpetrated long before identity theft became part of the national psyche. Stealing mail is one example.

Personally identifiable information has given thievery of mail a real “boost.” The latest ploy in urban areas involves the collection of names. Using a notepad, a local thief slipped into a group of condominiums in my neighborhood and started to document who lived where by looking at the junk mail left in the lobby. He used that to gain entry after the courier services made their daily drops. “This is Gary from 2C. Locked myself out. Can you please buzz me in?” In minutes, every package was in his custody and he was gone.

What to do: Don’t leave junk mail in your lobby, and urge the building to have a policy that doesn’t allow packages to be left unattended.

Read More

Washington, DC Aug 14 2014 Fourteen individuals were charged in three indictments in Puerto Rico with conspiracy to commit identification fraud, money laundering, aggravated identity theft and passport fraud in connection with their alleged roles in a scheme to traffic the identities and corresponding identity documents of Puerto Rican U.S. citizens.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney Rosa Emilia Rodriguez-Velez for the District of Puerto Rico, Principal Deputy Assistant Secretary Thomas Winkowski of U.S. Immigration and Customs Enforcement (ICE), which oversees Homeland Security Investigations (HSI), Chief Postal Inspector Guy Cottrell of the U.S. Postal Inspection Service (USPIS), Chief Richard Weber of the Internal Revenue Criminal Investigation Division (IRSCID) and Director Bill Miller of the State Department’s Diplomatic Security Service (DSS) made the announcement.

The multi-count indictments were returned by a federal grand jury on Aug. 6, 2014. Since that time, five of the defendants have been found and arrested (four in Puerto Rico and one in Florida). They will be arraigned in federal court this week. Arrest warrants have been issued for the remaining defendants, who will make their initial appearances in federal court in the districts in which they are arrested.

According to the indictments, from at least July 2008 through April 2014, conspirators in the mainland United States and in Puerto Rico sold the identities and corresponding Social Security cards, Puerto Rico birth certificates and other identification documents of Puerto Rican U.S. citizens to undocumented aliens and others residing in the mainland United States.

Specifically, the indictments allege that individuals located in the Caguas, Rio Piedras and San Juan areas of Puerto Rico (suppliers) obtained Puerto Rican identities and corresponding identity documents, and conspirators in various locations in the United States (identity brokers) solicited customers for those identities and documents. The identity brokers allegedly sold the identities and documents to the customers for prices ranging from $700 to $2,500 per set of Social Security cards and corresponding Puerto Rico birth certificates.

According to the indictment, the identity brokers ordered the identity documents from the suppliers by making coded telephone calls, including using terms such as “shirts,” “uniforms” or “clothes” to refer to identity documents. The suppliers generally requested that the identity brokers send payment for the documents through a money transfer service to names provided by the suppliers.

The conspirators frequently confirmed payee names and addresses, money transfer control numbers and trafficked identities via text messaging. The suppliers allegedly retrieved the payments from the money transfer service and sent the identity documents to the brokers using express, priority or regular U.S. Mail.

According to the indictments, once the identity brokers received the identity documents, they delivered the documents to the customers and obtained the remaining payment from the customers. The brokers generally kept the second payment for themselves as profit. Some identity brokers allegedly assumed a Puerto Rican identity themselves and used that identity in connection with the trafficking operation.

As alleged in the indictments, the customers generally obtained the identity documents to assume the identity of Puerto Rican U.S. citizens and obtain additional identification documents, such as state driver’s licenses. Some customers allegedly obtained the documents to commit financial fraud and others attempted to obtain U.S. passports.

View Source

When Target lost data on some 110 million customers, it recommended them to credit bureau Experian for “identity theft protection,” offering to cover the cost for a year.

Think you’re in better hands? Think again.

Sometime before the Target (TGT) hack, Experian had its own data leak — via a subsidiary. That data leak got plugged before Target sent victims to Experian. But it shows that even those entrusted with our most sensitive data don’t know how to protect it.

Experian unknowingly sold the personal data of millions of Americans — including Social Security numbers — to a fraudster in Vietnam. That guy then sold the personal information to identity thieves around the globe.

It wasn’t until U.S. Secret Service agents alerted Experian that the company stopped.

Hieu Minh Ngo, now 25, was caught and admitted to posing as a private investigator in Singapore to get exclusive access to data via Court Ventures, an Experian subsidiary. Ngo then sold access to fellow criminals.

Read more

Have you just become one of the more than 10 million Americans who fall victim to identity theft every year? Are you wondering what to do now that your identity has been stolen?

If so, don’t panic. You’re going to have to do several things right away, but each will help you put your life back in order, and not taking these steps will only prolong your ordeal.

1. Don’t talk about your identity being stolen.
The first thing you might want to do if you find out your identity has been stolen is to tell all your friends about it. But before you post your misfortune on Facebook or Twitter, keep in mind that letting the world know you’re a victim could make you even more vulnerable to exploitation by identity thieves.

“Advertising that you’re a victim lets other people know that a lot of your information is out there,” said Neil Chase, an expert with the Tempe, Arizona-based identity-protection service LifeLock. “You want to be careful about that.”

Chase said people who have had their identities stolen are more susceptible to online frauds, such as email phishing scams and credit-monitoring scams. Broadcasting that your identity has been stolen might increase your risk of attracting these kinds of fraudulent solicitations.

2. Place a fraud alert on your credit file.
To get your life — and your credit — back in order, you’ll need to take charge in the days and weeks following an identity theft. The first thing to do is to call one of the three major credit reporting agencies — Equifax, Experian, or TransUnion — and request that it place a fraud alert on your credit file. Whichever company you contact will notify the other two credit bureaus about the alert.

If you place a fraud alert on your file, businesses must then verify your identity before issuing credit in your name. This means you’ll get a call if a criminal uses your name to open a fraudulent account.

While you have the credit bureau on the phone, make sure the contact information on your credit file is up to date. You can renew the initial fraud alert on your account for free after 90 days.

There’s also a fourth, lesser-known credit bureau that you may want to contact when placing a fraud alert on your file — Innovis. This company keeps track of credit information that the big three don’t bother with, such as utility bills and cellphone payments. Issuing an alert with Innovis could prevent a lot of headaches for identity-theft victims.

3. Request a credit freeze.
If you’re truly worried about your credit or have a lot of assets to protect, consider placing a freeze on your credit file. Freezing your credit will make it even more difficult for identity thieves to open up new accounts or access credit in your name. You will still be able to open legitimate lines of credit even when your credit file is frozen.

To freeze your credit, you’ll need to contact each of the three major credit bureaus individually. Report that your identity has been stolen and that you’d like to freeze your credit. You’ll likely need to pay a fee to each bureau, which is determined by state law but typically costs between $3 and $11.

While fraud alerts need to be renewed every 90 days, credit freezes make your credit report inaccessible to creditors (and criminals) for much longer — usually until you decide to lift the freeze on your file.

4. Request your credit reports.
Now is the time to assess the damage done to your credit by identity thieves. To begin the process, request a free credit report from each of the three major credit bureaus. Placing a fraud alert on your file entitles you to a free report, but in fact every U.S. resident is allowed one free annual report from each credit agency.

Once you have your credit report in hand, you can begin setting things to rights. To dispute any errors you find on your credit reports (such as accounts you didn’t open or erroneous personal information), first create an identity-theft report (see the next step) and then write to each of the three credit reporting companies explaining the errors.

You’ll also need to contact the fraud departments of each business that reported a fraudulent transaction on your existing account, as well as each business that reported a new account opened fraudulently in your name.

For an in-depth guide on how to dispute fraudulent charges on your accounts, see the FTC’s online tutorial on dealing with identity theft.

5. Create an identity-theft report.
Disputing fraudulent charges and accounts will be much easier if you’ve put together an identity-theft report. To create an identity-theft report, you’ll first need to submit a formal complaint to the FTC detailing the theft.

With your FTC identity-theft affidavit in hand, you can next file a police report in the municipality where you reside, or where the theft took place. The police report and affidavit together comprise your identity-theft report and will aid in the battles that may come. Having a theft report will also enable you to place an extended fraud alert on your credit, which will last for seven years instead of the requisite 90 days.

6. Make sure it doesn’t happen again.
Anyone who has had her identity stolen won’t want to repeat the experience. Luckily, there are several steps you can take to prevent your identity from being stolen again. Chase said one of the easiest ways to do this is to cut back on paper documentation of your personal information.

Chase’s advice? Stop receiving paper account statements in the mail and instead opt to view information about your various accounts online. If you do receive paper statements, shred them before throwing them in the trash.

Also keep in mind that going over your bank statements and credit reports with a fine-toothed comb isn’t an effective way to keep track of your financial accounts in real time. To get a better sense of what’s happening with your accounts, you’ll need to monitor them more frequently than once a billing cycle.

“Watch your accounts online,” Chase advises. “That way if something happens that the bank doesn’t catch, you’re going to catch it sooner than if you wait for a statement or credit report.”

While you’re online, you should also consider strengthening the passwords for your various accounts, particularly online bank accounts and email accounts, where personal and financial information might be stored.

View Source

ATLANTA—Justin Cody, and his wife, Aeshia Wilmore, have been sentenced for their roles in a fraudulent income tax refund scheme.

“Stealing identities of innocent people has become all too common,” said United States Attorney Sally Quillian Yates. “The sentence these two received makes it clear that we are committed to exposing and bringing to justice anyone who engages in this conduct.”

“IRS-Criminal Investigation will remain proactive in the investigation of individuals and groups who engage in stealing the identities of innocent people,” said Veronica F. Hyman-Pillot, Special Agent in Charge. “We will utilize every tool available to investigate those who conspire with each other to victimize members of our community for their own personal gain.”

J. Britt Johnson, Special Agent in Charge, FBI Atlanta Field Office, stated, “The FBI is pleased with the role it played in bringing these defendants to justice. The FBI will continue to provide its investigative resources and assets in protecting individuals’ identities and their use in these growing schemes involving false tax returns.”

According to United States Attorney Yates, the charges, and other information presented in court: from as early as February 2013 to May 2013, Justin Cody and his wife, Aeshia Wilmore, participated in a scheme to defraud the Department of the Treasury by filing hundreds of fraudulent income tax returns using stolen identities. This type of scheme is commonly called stolen identity refund fraud. Cody used stolen personal identification information of hundreds of victims, along with fake wage and withholding information, to prepare numerous fraudulent tax returns, claiming over $600,000 in tax refunds. After the refunds were processed, Cody had the refunds applied to blank prepaid debit cards that he and Wilmore used at various ATMs throughout the Atlanta area.

Justin Cody, 33, of Atlanta, Georgia, was sentenced to serve seven years and three months in federal prison. Aeshia Wilmore, 25, also of Atlanta, was sentenced to two years in federal prison by United States District Judge Steve C. Jones. On November 22, 2013, Cody and Wilmore each pleaded guilty to count three of the indictment, which is a substantive count of theft of public funds. Cody also pleaded guilty to aggravated identity fraud.

This case was investigated by special agents of the Internal Revenue Service Criminal Investigation and the Federal Bureau of Investigation.

View Source

At the height of the tax season, federal agents on Thursday rounded up about 25 South Florida suspects charged with stealing Social Security numbers and other personal information from unwitting victims to file fraudulent income-tax returns in their names.

The takedown, carried out at the crack of dawn, is the latest in a series of sweeps through South Florida to combat the ever-spreading crimes of ID theft and tax-refund fraud that are costing the U.S. government billions of dollars a year.

U.S. Attorney Wifredo Ferrer, who has launched the only task force in the nation to crack down on the dual crimes, plans to hold a news conference Thursday morning to spotlight the latest arrests before the April 15 tax filing deadline and South Florida’s dubious reputation as the capital of these twin crimes.

Since 2012, his office has prosecuted upwards of 200 defendants who have filed hundreds of millions of dollars in false refund claims with the Internal Revenue Service.

Thursday’s takedown was carried out by dozens of agents with the FBI, IRS, Secret Service and other law enforcement agencies.

Critics say the IRS is partly to blame for the escalating crisis because the agency issues refunds so rapidly in the digital age without checking the accuracy of the information on tax returns, including failing to investigate suspicious claims with stolen names, birthdates and Social Security numbers along with totally fabricated employment and income information.

The IRS has admitted that it rarely checks tax documents such as W-2 income forms in real time to see if employees’ returns match information provided by their employers. That has given tax-fraud offenders ample time early in the tax season to use stolen identities, swiped from hospitals, police stations and other places, to beat legitimate tax filers to the punch.

The problem has spiraled so out of control that some South Florida perpetrators haven’t even bothered with stealing people’s identities to commit tax fraud. They have simply filed phony refund claims for tens of thousands or hundreds of thousands of dollars in their own names and the IRS has issued them the massive refunds in the form of checks or debit cards.

View Source

A Georgia woman was recently sentenced to 27 years in prison for stealing the identities of nursing home patients and using their information to apply online for about half a million dollars in fraudulent tax refunds from the Internal Revenue Service (IRS).

Criminals who use stolen personally identifiable information to line their own pockets perpetrate a wide variety of fraudulent financial schemes, like hacking into online accounts, submitting phony insurance claims, and applying for loans and credit cards. Increasingly, though, tax refund fraud using stolThe IRS has reported a significant increase in identity theft-related tax refund fraud over the past several years. This type of crime is perceived by criminals and organized criminal enterprises as relatively easy, seemingly low-risk, and, ultimately, pure profit which can be used to fund other criminal activities…like drug trafficking, money laundering, public corruption, or even terrorism.

Anyone with a Social Security number could become a victim. But criminals who commit tax refund fraud seem to focus more on people who don’t normally file tax returns—the elderly, low-income families, students, patients at long-term health care facilities, and even the homeless. Perpetrators also target public figures like celebrities, athletes, CEOs, and politicians, as well as law enforcement, military, and government personnel…including Attorney General Eric Holder.en identities is fast becoming a favorite money-making endeavor of the criminal element.

How a scheme works. The perpetrator fills out a federal tax return online with stolen identity information and phony wage and tax withholding figures, then informs the IRS how to provide the refund (a check mailed to a certain address, a direct deposit into a bank account he controls, or, more common these days, a deposit onto a debit card in his possession).

In simple tax refund schemes, one person usually handles everything—from obtaining stolen identities to collecting refunds. But in more sophisticated schemes, there are a number of individuals assuming different roles: “ringleaders” who organize entire operations, “sources” who steal identity information, “preparers” who file returns online, and “runners” who actually collect the proceeds.

Law enforcement response. The dedicated work done by IRS-Criminal Investigation professionals is a major component of that agency’s efforts to combat tax-related identity theft. And the IRS continues to make enhancements in fraud prevention, early detection, and victim assistance as well.

But the FBI—working with our partners at the IRS and U.S. Secret Service and through liaison efforts with banks—brings valuable investigative resources to the table: our years of experience investigating financial crimes, our focus on identifying and dismantling large criminal networks, and our use of sophisticated investigative techniques. We also share intelligence and information with other federal law enforcement partners to help link investigations of criminal organizations engaged in tax fraud schemes that may be tied to illegal drugs, weapons, terrorism, or other types of criminal activity.

All of these efforts are paying off—we’ve been part of many successful cases recently (see sidebar).

And the FBI will continue to work cooperatively to investigate stolen identity tax refund fraud—we take our role in identifying and arresting those responsible very seriously. These crimes not only victimize law-abiding individuals but all honest U.S. taxpayers who ultimately foot the bill for this stolen revenue.

View Source

Crashing websites and overwhelming data centres, a new generation of cyber attacks is costing millions and straining the structure of the Internet.

While some attackers are diehard activists, criminal gangs or nation states looking for a covert way to hit enemies, others are just teenage hackers looking for kicks.

Distributed Denial of Service (DDoS) attacks have always been among the most common on the Internet, using hijacked and virus-infected computers to target websites until they can no longer cope with the scale of data requested, but recent weeks have seen a string of particularly serious attacks.

On Feb. 10, internet security firm Cloudflare says it protected one of its customers from what might be the largest DDoS documented so far.

At its height, the near 400 gigabyte per second (gbps) assault was about 30 percent larger than the largest attack documented in 2013, an attempt to knock down antispam website Spamhaus, which is also protected by Cloudflare.

The following day, a DDoS attack on virtual currency Bitcoin briefly took down its ability to process payments.

On Feb. 20, Internet registration firm Namecheap said it was temporarily overwhelmed by a simultaneous attack on 300 of the websites it registers, and bit.ly, which creates shortened addresses for websites like Twitter, says it was also knocked out briefly in February.

In a dramatic case of extortion, social networking site Meetup.com said on Monday it was fighting a sustained battle against hackers who brought down the site for several days and were demanding $300 to stop. It would not pay, Meetup CEO Scott Heiferman told Reuters.

DDoS attacks were at the heart of attacks blamed on Russian hackers against Estonia in 2007 and Georgia during its brief war with Russia in 2008. It is unclear if they played a role in the current stand-off between Moscow and Ukraine in which communications were disrupted and at least one major government website knocked out for up to 72 hours.

A report this month by security firm Prolexic said attacks were up 32 percent in 2013, and a December study by the cyber-security-focused Ponemon Institute showed them now responsible for 18 percent of outages at U.S.-based data centres From just 2 percent in 2010.

The average cost of a single outage was $630,000, it said.

“It’s really a game of cat and mouse,” said Jag Bains, chief technology officer of Seattle-based DOSarrest, a firm that helps government and private-sector clients protect their sites.

“I’d like to say we are ahead, but I just don’t think it’s true.”

As well as growing in volume, he said attacks were becoming much more sophisticated in targeting the most vulnerable parts of websites, making even a small attack much more effective.

The aims of attackers include extortion, political activism, providing distraction from data theft and, for “hobbyist” hackers, just testing and showcasing their skills, security experts say.

Other victims in recent months have included the Federal Bureau of Investigation, Royal Bank of Scotland and several major U.S. banks, which analysts believe were targeted by Iran in response to sanctions. Iran denies the charge.

HIJACKING PRINTERS, SMARTPHONES

Many attacks, however, appear to be homegrown. The most popular point of origin for DDoS attacks in the last three months of 2013, Prolexic said, appeared to be the United States, followed by China, Thailand, Britain and South Korea.

As well as hijacking computers, Prolexic said attackers are increasingly targeting smartphones, particularly those using Google’s Android operating system, which by the third quarter of 2013 accounted for more than 80 percent of new phones.

Even wireless printers, experts say, have sometimes been co-opted into attacks, packed together in botnet groups. That, they warn, can put previously unprecedented cyber firepower in the hands of relatively unskilled hackers, who increasingly include teenagers.

Last year, British police arrested a 16-year-old as part of their investigations into the attack on Spamhaus, while German police arrested an 18-year-old after a DDoS attack paralysed the Saxony government website.

DDoSarrest says some of the most recent attacks it has dealt with were on U.S. universities and largely blamed on students showing off or protesting against high tuition fees.

The sheer volume of attacks means many perpetrators are never traced, and some computer security experts complain law-enforcement authorities remain reluctant to prosecute the youngest offenders.

Until recently, DDoS attacks were seen less of a threat than attempts to steal customer data or intellectual property. That, however, is changing fast.

SLOWING THE INTERNET

Last year’s Spamhaus attack was described by some as slowing the entire global Internet, and most experts agree the largest attacks can slow access across entire regions. Cloudflare says there were anecdotal reports of slowness in Europe during the latest attack.

Crashing data centres can wreak havoc with other services based there, including phone systems and vital industrial facilities.

The Ponemon report showed DDoS attacks are now the third largest cause of outages after power system failure and human error, outstripping traditional causes such as weather events.

Even if attacks do not succeed, the cost of mitigating them is rising fast, providing many millions of dollars of business for firms such as Cloudflare and Prolexic, taken over last month by Akamai Technologies for about $370 million.

Namecheap, which aims to offer cut-price hosting for websites, said it had already spread its data centres across five countries and three continents to better handle constant attacks but was still overwhelmed by the roughly 100 Gbps incident.

Attacks on that scale, Prolexic says, now occur several times a month and are now frequently so complex and fast moving that automated systems can no longer tackle them.

Prolexic itself runs a permanently manned operation centre at its headquarters in Florida, allowing it to keep one step ahead and instantly move material between data centres.

“It’s very hard to know what to do,” said Alexander Klimburg, a cyber security expert at the Austrian Institute for International Affairs currently on exchange at Harvard Kennedy School of Government. “The tools to do this can be purchased online incredibly cheaply, while the damage they can do and the cost of mitigating it is exponentially higher.

View Source

In a response to a few recent incidents in the community, Northbrook police are warning residents of scammers who have become more technologically savvy and harder to track.

“They are able to use the web now to choose their victims,” said Scott Dunham, deputy chief of Northbrook’s police department, speaking at a Board of Trustees meeting on Tuesday. “Social networking sites are proving to be a fertile ground for them.”

On Feb. 16 and Feb. 17, two Northbrook residents, one on the 1000 block of Springhill Drive and one on the 3100 block of River Falls, reported receiving calls from a person pretending to be their grandson and requesting money, authorities said. Neither resident fell for the scam.

Over the past two years, Northbrook has seen a total of 18 similar incidents, according to Daniel Petka, a spokesman for the Northbrook Police Department.

In three incidents out of 18, the victims actually transferred money to the scammers, he said.

“The important thing is to be more inquisitive,” Petka said, adding that the scammers usually tend to call early morning or during the night, trying to catch the victims at their most vulnerable time.

Scammers can mine social media sites to determine whether their victims have any family members and then impersonate them over the phone, asking for money, according to officials.

“It’s come to a point now that we believe (criminals) are actually trading roster lists of people they have successfully scammed so they can follow up with another one,” Dunham said.

Northbrook Village President Sandra Frum asked whether police are able to correlate some burglaries with residents posting information about their vacations on the social media.

Dunham said while it’s hard to make those connections, the police consistently warn people about posting sensitive information, such as travel schedules, online.

Northbrook officials said they would release in an upcoming village newsletter more information on how to avoid becoming a victim of a phone scam.

Dunham said residents should make sure their online profiles have privacy restrictions.

In general, Dunham said, residents should limit broadcasting sensitive information through the social media.

“You shouldn’t be releasing something you’d be uncomfortable with placing on a billboard on Michigan Avenue,” Dunham said.

View Source

As an IRS contact representative, Sherelle Pratt was tasked with tackling confused tax filers’ most complicated questions.

Instead, authorities said Tuesday, she left them with a more burning concern: What happened to their tax returns?

A federal grand jury indicted Pratt, 49, of Philadelphia, on charges of theft, identity theft, and filing false returns – all stemming from an alleged scheme in which she pocketed nearly $29,000 in tax-refund money meant for nine of her clients.

Investigators with the Treasury Department and the IRS began probing Pratt’s work in 2009, after the father of one client questioned what happened to a $958 tax return and $600 stimulus check he believed his son was owed. They later found that the money was deposited in Pratt’s personal bank account, according to court filings.

Further digging revealed that Pratt had allegedly filed for a $3,524 tax refund on behalf of another client without his knowledge.

In other cases, she purportedly pushed clients to claim dependents and child-care and business expenses for which they were not eligible.

Sometimes, prosecutors said, Pratt passed the money along. In others, she split the proceeds with her clients, prosecutors said.

It was not immediately clear Tuesday whether Pratt had retained a lawyer. She did not return calls for comment.

A six-year veteran of the IRS, she has been suspended pending the outcome of her case, the U.S. Attorney’s Office said.

If convicted, Pratt could face up to 33 years in prison and $2.25 million in fines.

Pratt is at least the second local IRS employee to face tax-fraud charges in as many years.

In June, a federal judge sentenced former agency customer service representative Patricia Fountain to 19 years behind bars for bilking the IRS out of more than $1.7 million in bogus refunds.

View Source