By Jeremy Scott-Joynt
BBC News business reporter
Low risk. High reward. Easy hours. And all from the comfort of the internet cafe just down the road.
Job Centre staff have been among the victims of the fraud
Who could resist such an inviting prospect?
Certainly not the organised criminals who - it now emerges - have been assaulting the government's tax credits system so effectively that they forced the closure of its online portal on 1 December.
The victims of the scam are legion.
Not only have numerous legitimate, and often needy, recipients of tax credits found themselves out of pocket; thousands of civil servants are now discovering that their personal details have been stolen and abused.
And then, of course, there's the entire UK population, whose taxes help support the £14bn tax credit system.
The scale of organised crime's attack on tax credits, revealed by BBC News in October, has yet to be quantified.
So far, HM Revenue and Customs says it has identified £15m - but admits it has barely begun to map the scale of the problem.
Many in the public sector believe that of the £2.2bn mis-paid in 2003-4 - some 15% of total payments - hundreds of millions have been lost to fraud.
The attraction of the system to fraudsters has been relatively low levels of up-front checking of the accuracy and honesty of applicants.
HMRC insists that it took the risk of fraud into account when tax credits first opened for business.
"From the first day... our working assumption was that we would be the target of attacks" by fraudsters, HMRC executive director David Varney told the House of Commons' Public Accounts Committee earlier in December.
But the sheer scale of demand, and a system designed to focus on processing claims and recovering overpayments later, left the door wide open to abuse.
The temptation was just too hard for organised crime - always looking for the best return for the lowest risk - to ignore, fraud specialists in both the public and private sector have told BBC News.
The main attack has been on the online portal, which the Revenue closed on 1 December.
Fraudsters were making multiple applications - using false or stolen identities and claiming for non-existent children - from internet cafes as early as two years ago, BBC News has learnt.
The Revenue acknowledges it first upped its scrutiny of the portal in the early summer of 2005, and thought it had the situation under control.
But then the risk just kept on rising.
By October, BBC News understands, the pressure of what Mr Varney now calls a "virulent and sustained fraud" was reaching crisis pitch - and at meetings involving the Department of Work and Pensions and HMRC the worst-case strategy of closing the portal began to be mooted.
The fraud was made much easier by a devastating security breach at the DWP: the theft of payroll data from the 2003-4 financial year which put names, addresses, dates of birth and national insurance numbers of at least 13,000 DWP employees in criminal hands, most likely thanks to action by insiders.
Staff in centres which serve London claimants - Glasgow, Lancashire and Pembrokeshire - as well as in London itself have now found that bank accounts have been opened in their names and money siphoned out, potentially destroying their credit ratings.
DWP staff fear the data may well have come from FAMIS - the pay and personnel database set up before the Benefits Agency and Employment Service merged in 2000, and still used for former Benefits Agency staff.
Working the phones
But although HMRC insists that its other systems remain secure, evidence is building that its call centres have also been unwittingly abused, according to Revenue insiders who have contacted Liberal Democrat Work and Pensions spokesman David Laws.
"For many months now we have been regularly seeing examples of a new form of tax credit fraud," the whistle-blower says.
At least 13,000 staff affected by theft of payroll data
Centres affected: London, Glasgow, Makerfield (Lancs) and Pembroke Dock (Wales)
HMRC remains unsure of whether there may be still more staff affected.
The new method is an identity theft attack on existing claimants, where a bogus telephone call changes the claimant's registered address.
Then, once enough time has elapsed to assuage suspicion, the fraudster changes the bank details as well.
Payments, it seems, do not have to go to an account in the name of the claimant - and some accounts are being used to aggregate such fraudulent returns, something which is beginning to be flagged by banks' and building societies' anti-fraud systems.
The first the claimant knows is that the payments suddenly stop. But if they try to resolve the issue, they then fail the security checks thanks to the fraudulently altered personal information.
The revelation that the system is vulnerable to fraud on a massive scale is hardly the first bit of bad press to hit what, in principle, is an impeccable aim: to ease the burden on families and the low-paid.
As soon as the credits were introduced in 2003, call centres managing the applications found themselves inundated with enquiries in numbers far beyond their capacities.
Add in an IT system which badly underperformed - to the point where the company responsible, EDS, has had to pay HMRC £71m in compensation - and the stage was set for the meltdown which duly followed.
But even though HMRC says it has always tried to balance accessibility and security, the design of the system - which, a National Audit Office report found, stressed post-claim checks rather than pre-payment ones - left the door wide open to abuse.