The Southbourne Tax Group: Why Tax Refund Fraud Losses Are Growing Rapidly
Over the past five years, the IRS has been experiencing issues around identity theft. Evidence of stolen identity tax refund fraud, or simply tax refund fraud (TRF), began to emerge as early as 2004 when individuals began submitting fictional tax returns from prison. According to the Treasury Inspector General for Tax Administration (TIGTA), in 2004, prisoners submitted 18,000 returns, which cost U.S. taxpayers $68 million. In 2010, they submitted 91,000 returns, with a loss of $757 million. Over that time, the prisoners also increased the average amount of money they collected, jumping from $3,777 in 2004 to a staggering $8,318 in 2010. Their tax fraud scheme exposed a flaw within the tax filing system.
Organized criminal enterprises understand flaws in the tax filing and refund system that allowed them to exploit procedural weaknesses and reap large returns for their efforts. TRF has evolved into a sophisticated criminal enterprise process with organized fraud rings filing thousands of fraudulent tax returns annually.
Factors Leading to the Growth of Tax Refund Fraud
The advancement of technology has had implications across many facets of TRF. The increase in personal computing power of taxpayers, the evolution of the Internet since the early 1990s, the ability to electronically file tax forms and subsequent growth of third-party tax filing services and the ability to receive tax refunds via direct deposit (including prepaid debit cards) have all been major contributing factors to the growth of TRF. Additionally, the conversion of personally identifiable information (PII) to digital records has created an opportunity for cybercriminals to steal PII in large quantities, as evidenced by recent health care provider and government agency data breaches.
The IRS has offered and allowed direct deposit of tax refunds since the 1980s; however, it never built systems to confirm that deposits were being made to an account of the same name as the tax filer. In 2008, TIGTA reported that “the IRS has not developed sufficient processes to ensure that more than 61 million filing season 2008 tax refunds were deposited into an account of the name of the filer.” In fact, TIGTA found that the IRS was not in compliance with direct deposit regulations. The IRS claimed that it was the responsibility of the taxpayer to ensure compliance — which obviously played into the fraudsters’ hands.
The problem of multiple direct deposits to one account was evident in a 2012 report in which an analysis of 2010 data indicated that 4,157 direct deposit refunds totaling more than $6.7 million went to just 10 accounts.
A corresponding July 2012 TIGTA report recommended that the IRS limit the number of direct deposits to one account. The IRS agreed with that suggestion and instituted a limit of three direct deposits to one account for the 2015 filing season.
A New Trend Takes Hold
Around 2010, a new trend emerged centering around true identity theft. Based on lessons learned from the prisoner tax filing scam, organized criminal groups (OCGs) focusing on TRF began to emerge. OCGs from street gangs to international crime groups learned that they could make a lot money with little risk involved. The OCG would obtain true identity information about a taxpayer, which is otherwise known as “FULLZ” in Dark Web marketplaces. The OCG would then submit a tax return in the victim’s name with fictitious employment and wage documents to support it.
Since two returns cannot be filed for the same person in one year, once the victim would submit a true tax return it would be rejected, alerting them to the identity theft. One of the issues at hand is that the IRS does not reconcile wage documents from individual returns to those supplied from employers until six to nine months into the year. According to TIGTA, the IRS may have paid $5.2 billion in potentially fraudulent tax refunds on 1.5 million tax returns in 2010.
So Where Does One Get FULLZ Information?
FULLZ information is readily available from many places. These include data breaches, retail stores, health care records and more. Once cybercriminals get access to this data, they will then put the information into a website marketplace that allows fraudsters to access any of the data that is available for a price. Many of these websites are in what is known as the Dark Net or Dark Market. The Dark Net listings provide fraudsters with all the information they would need to execute TRF.
If you are a novice or would-be fraudster, there are websites that will provide a how-to tutorial for committing TRF. The pictures below are examples of a few websites that teach people each step of TRF, from getting a person’s PII and opening a bank account in that individual’s name to actually submitting a fraudulent tax return and receiving an illicit refund.
Another important thing to note is that rules, regulations and silos within companies hinder the organizations’ ability to effectively communicate, share information and limit the losses from TRF. However, the bad guys are not hindered by any such rules and regulations. They are free to communicate among themselves about successes, failures and other conditions that will help refine their processes to be more successful. This is usually done in Dark Net chat forums. In these forums, criminals are free to discuss what was successful and what was not.
Technology has made it increasing easy for fraudsters to commit their crimes anonymously. The Internet and phone channels provide areas that can be used to grant anonymity. On the Internet there are many products that provide virtual private network (VPN) services to hide the true identity and IP address of the bad actor; two of the best known are Tor and I2P.
Data Breaches Fuel the FULLZ Supply
All data breaches are not created equally. Some of the large retail breaches over the last 18 months, while significant, do not pose as much of an identity theft risk as the more recent health insurer and government data breaches. Some of the high-profile retail breaches involved payment card compromises, which would allow a fraudster to create and use counterfeit cards. Typically, card issuers will bear losses associated with counterfeit card use, sparing consumers any financial burden. However, data breaches that involve complete PII records of consumers present a high risk of identity theft and TRF.
Until recently, the compromise of full PII data often came from malicious insiders with access to consumers’ information. Insiders at banks, medical offices, schools and other organizations that possess PII help provide access for criminal enterprises. Large-scale data breaches at health insurers and government agencies have provided a tremendous supply of consumer PII to cybercriminals looking to execute TRF.
So far in 2015, more than 100 million PII records have been compromised through health care and government data breaches alone. For example, the IRS announced that the breach of its Get Transcript system may have included the PII of 334,000 taxpayers. Unlike payment card compromises, these breaches may have profound negative effects to individuals for years to come.
IRS Attempts to Control the Issue
In response to TIGTA’s direct deposit concerns, the IRS introduced limits on Automated Clearing House (ACH) deposits for the 2015 tax season. It implemented new procedures about how money would be sent to accounts by ACH and by check. For instance, a new direct deposit refund request limits the number of refunds that can be deposited into one bank account to three. After three deposits into one bank account, the IRS will convert any subsequent direct deposit refund requests to a paper check and mail the check to the taxpayer’s address. Also, the IRS is limiting the number of bank accounts among which a taxpayer can split one refund to no more than three.
These changes were implemented in an effort to curb TRF. However, the reforms did not achieve the intended result because fraudsters adapted their tactics to exploit systematic weaknesses. The issues that arose for the 2015 tax season are twofold:
- Workarounds With Tax Preparation Services
The master accounts associated with tax preparation services are a weakness in the system to which fraudsters navigated once the IRS instituted the direct deposit limitations. When an individual files a tax return with a refund through some of the popular tax preparation services, the refunds are often routed from the IRS to the tax preparation company, which then sends it to the individual’s bank and account of record.
Through this method of filing, fraudsters were able to bypass the direct deposit limits. Refunds processed through master accounts do not contain robust event descriptions. The lack of event descriptions means the banks can’t detect and stop these refunds since they have no information from which to validate and match information to the bank account.
- Financial Institutions Cannot Help Monitor for Fraud
The direct deposit limits took financial institutions out of the game with regard to being a detection point. An ACH deposit coming from the IRS to a bank contains a robust event description including the name, address and Social Security number of the beneficiary. Financial institutions were in a position to detect suspicious activity of multiple deposits going to one account for the benefit of individuals not named on the account.
As with many regulations and controls designed to stop fraud, there are unintended consequences. As a result of criminals’ ability to adapt to the ACH limitations, they found another way. Their new methods resulted in a higher success rate and increased losses to U.S. taxpayers.
What Does This Mean for the Future?
TRF is expected to increase dramatically for this tax season. According to the IRS, fraud losses will reach a staggering $21 billion by 2016, while just two years ago, losses were $6.5 billion.
Recent large-scale PII data breaches will contribute to the growth of TRF. Although the IRS is making changes to try to limit fraud, there are still structural weaknesses in the process that will allow this activity to continue.
Are There Solutions to the Tax Refund Fraud Issue?
No one solution will stop tax refund fraud, but it can be slowed down and its losses limited. The focus should be on better fraud detection capabilities. The detection process should be built like an onion with multiple layers and parties involved. Proposed cuts of the IRS’ budget by more than $800 million for fiscal year 2016 may make it increasingly difficult for the agency to create a better detection strategy, however.
Limiting the number of direct deposits to one account is a good start. However, financial institutions need to be brought into the detection loop. The refund process via master accounts must be enhanced to the point where the name, address and Social Security number of the beneficiary are included in the event description of the ACH transaction between the master account and the receiving bank. Once that is done, banks can build fraud strategies to identify multiple deposits to one account.
The IRS, financial institutions, tax preparation service companies and card companies should work together to devise and implement detection controls that may allow each party to potentially identify suspicious activity, raise red flags and halt the refund process to allow for identity verification. With a detection process that includes all these parties, there will be three different industries that can review refund transactions at different points in the process. This could significantly decrease the losses that are seen with tax refund fraud.
Additional resources for business accounting tips are available here
The Southbourne Tax Group: Adjustments After Nuptials - Tax Tips!
June had the reputation as being THE wedding month of the year and flowers were everywhere. Now it seems like wedding season goes from early spring to late summer. Whether they’re traditional with a bunch of flowers or have a Harry Potter theme, weddings strive to be a happy occasion for all parties involved and guests invited. They can also, however, be quite stressful! Between trying to plan a wedding, staying within budget, finding the perfect dress and finalizing plans, it can be an overwhelming task! Not to mention that two people’s lives are going to change, so it’s understandable that a few things might fall to the wayside.
While trying to choose the right flowers for the bouquet, which flavor of cake to have, and planning a seating chart, no one really has time to think about everything they need to do after festivities and honeymoon. Besides, who wants to think about name changing forms when a sandy beach with fruity drinks is calling their name? There’s other important things to do, too, like writing thank you notes and trying out all the new gadgets family and friends gave you.
When the fun dies down, though, we’re here to give all newlyweds a friendly reminder of tedious tasks to consider and or do once they’re married. So first things first! Some people really like the whole name change idea that is associated with getting married; you know, at some point we all tried out how our name would flow with some hottie we admired by scribbling it all over our school notebooks.
A new name can be exciting, but keep in mind that for tax purposes, your name, social security number and tax return all have to match. Therefore, take a few minutes to report your new name to the Social Security Administration and file a Form SS-5. Make sure you have a copy of your driver’s license or passport and your marriage certificate because you’ll need them. Lastly, the SSA will take about two weeks to process the name change so try not to make your name change too close to the tax season because data sharing between the IRS and the SSA can be problematic towards the end of the year.
Another tip to keep in mind is to make sure your address is up-to-date if you move after the nuptials. There are some types of federal and certified mail that the postal service won’t forward to a new address. Seems like a no brainer, but for newlyweds coming fresh off a honeymoon and go right into a big move, it can be easy to forget to notify the postal service. Further, report to your employer any name or address changes to make sure you receive your Form W-2 after the end of the year.
Now here’s the nitty gritty; filing a tax return after you’re married. The combined income for you and your spouse could potentially put you in a new tax bracket. If that’s the case, use the IRS Withholding Calculator to see if you need to file a new Form W-4 for your employer. Then, make sure you choose the right tax form to fill out. Being married, you’ll have enough deductions to itemize your return rather than take standard deductions. Finally, decide which filing status will be most beneficial for you.
For most married couples, there’s a lower tax liability for filing jointly, but the married filing separate option could be more beneficial. For instance, if your spouse has past debt with the IRS or another agency, filing separate will prevent any refund the spouse may get from being used to offset the debt. These little details are easy for anyone to overlook, but as they say, the devil is in the details. Making sure things like names changes and filing correctly are taken care of well before tax time will save you from of heck of a headache!
With all of that out of the way, enjoy the honeymoon period and enjoy being blissfully married!
Additional resources for business accounting tips are available here.
The Southbourne Tax Group: Red Flags for Audits
The IRS at times seems like a living, breathing entity that’s often the source of bad dreams and stress. With all their rules, regulations, deadlines and forms, the IRS can be a little daunting, and nothing is scarier than the word audit. Often we are asked what are the chances of being audited, how the IRS chooses people to audit, and if whatever change they make in their life will put them on the radar of the IRS. These are all logical questions and completely reasonable to ask.
Unfortunately, the IRS chooses people at random for auditing, but on the other hand, there are some things that can tip the IRS off into auditing you. We’ve compiled a list of things that can tip off the IRS in no particular order that act as red flags so to speak.
-Not reporting all your income
There are numerous ways to receive income outside of what’s listed on a 1099 or W2. You may receive dividends, pension pay from a previous employer, royalties or whatever it may be. The more sources of income you have, the harder it can be to remember to report all of it or easy to overlook it. Any institution to distribute income will report it to the IRS, so make sure you check and double check that all your income has been recorded.
-Breaking the rules of foreign accounts
Foreign accounts sound like something from high budget espionage film, but some people do in fact have them. The law states that it is required for overseas banks to identify American asset holders and provide that information to the IRS. If you have a foreign account, you must report assets worth at least $50,000.
-Burring lines on business expenses
It’s a great tax advantage to be able to write off business expenses, however, the IRS has gobs of data upon data about typical business expenses. In laymen terms, they know when someone is spending more than what the average is. Tax returns showing 20 percent or more above the normal might get a second look. Therefore, always keep proper documentation of all your business expenses.
-Earning more than $200,000
Higher incomes require more complicated returns that tend to contain audit triggers. The IRS audited 1 percent of those earning $200,000 and almost 4 percent earning more. IF you make more than one million, the chance for an audit increases to 12.5 percent. Again, keeping good paper trails and the proper documentation is a must! This isn’t a bad thing at all, just the nature of the beast in this case.
-Taking large charitable deductions
Just like business deductions, the IRS has gobs of data about typical charitable contributions people at every income level usually make. If someone tries to deduct a contribution that’s largely disproportionate to their income level, eyebrows might raise. When donating, make sure you get the right paperwork for your own records and make sure to file a form 8283 for noncash donations over $500.
-Taking an early payout from an IRA or 401k
Red flags get raised if payments are taken out before 59.5 years of age and you can be subject to a 10 percent penalty on top of regular income tax. There are ways to get around the penalty for things like large medical costs and total and permanent disability, but otherwise, it’s best to not touch the pension plans.
If they see a common mistake popping up, the IRS is liable to look deeper into returns if they think those mistakes were made. There are any number of reasons the IRS may look deeper into someone’s tax return for auditing. The list we provided are not the only reasons, but are common reasons. The IRS still keeps it random, probably just to keep people on their toes, but keep in mind the IRS likes to change a lot. With proper documentation and accurate records, don’t worry about auditing!
Additional resources for business accounting tips are available here.
The Southbourne Tax Group: How to Protect Your Identity and Assets
Tax Fraud Awareness
The IRS, taxpayers and tax preparers share a common enemy: identity thieves. We all have a part to play in the fight against tax-related identity theft. Your role starts by learning the mechanics and warning signs. From there, taxpayers can take proactive steps to protect their data online and at home.
Understand How Tax Fraud Happens
Dishonest individuals may steal taxpayers’ personal and financial information from sources outside the IRS, such as social media accounts where people tend to share too many details or bogus phishing emails that appear to come from the IRS or a bank. Once they obtain an unsuspecting taxpayer’s data, thieves may use it to file fraudulent federal and state income tax returns, claiming significant refunds.
Paperless e-filing facilitates these scams: Thieves submit returns electronically, based on falsified earnings, and receive refunds via mail or direct deposit. Sure, the IRS maintains records of wages and other types of taxable income reported by employers, but they don’t usually match these records to the information submitted electronically before issuing refund checks. By the time the IRS notifies a victim that it’s received another tax return in his or her name, the thief is long gone and has already cashed the refund check.
In addition to refund fraud, thieves may use stolen personal information to access existing bank accounts and withdraw funds — or open new ones without the taxpayer’s knowledge. Criminals are becoming increasingly sophisticated and their ploys more complex, making identity theft harder to detect.
Recognize the Warning Signs
Taxpayers are the first line of defense against these scams. The IRS lists the following warning signs of tax-related identity theft:
Your electronic tax return is rejected. When the IRS rejects your tax return, it could mean that someone else has filed a fraudulent return using your Social Security number. Before jumping to conclusions, first check that the information entered on the tax return is correct. Were any numbers transposed? Did your college-age dependent claim a personal exemption on his or her tax return?
You’re asked to verify information on your tax return. The IRS holds suspicious tax returns and then sends letters to those taxpayers, asking them to verify certain information. This is especially likely to happen if you claim the Earned Income tax credit or the Additional Child tax credit, both of which have been targeted in refund frauds in previous tax years. If you didn’t file the tax return in question, it could mean that someone else has filed a fraudulent return using your Social Security number.
You receive tax forms from an unknown employer. Watch out if you receive income information, such as a W-2 or 1099 form, from a company that you didn’t do work for in 2016. Someone else may be using the phony forms to claim a fraudulent refund.
You receive a tax refund or transcript that you didn’t ask for. Identity thieves may test the validity of stolen personal information by sending paper refunds to your address, direct depositing refunds to your bank or requesting a transcript from the IRS. If these tests work, they may file a fraudulent return with your stolen data in the future.
You receive a mysterious prepaid debit card. Identity thieves sometimes use your name and address to create an account for a reloadable prepaid debit card that they later use to collect a fraudulent electronic refund.
Take Preventive Measures
You may wonder how many taxpayers file electronic vs. paper returns. “There are 150 million households that file federal and state tax returns involving trillions of dollars…. More than 90% of these tax returns are prepared on a laptop, desktop or even a smartphone — whether they’re done by an individual or a tax preparer. This is a massive amount of sensitive data that identity thieves would love to get access to.… With 150 million households, someone right now is clicking on an email link they shouldn’t, or skipping an important computer security update, leaving them vulnerable to hackers,” said IRS Commissioner John Koskinen in a recent statement about the Security Summit Group. (See “IRS Creates Security Summit Group” above.)
How can you actively safeguard your personal data online and at home? Here are four simple ways to thwart tax-related identity theft:
- Keep your computer secure. Simple, cost-effective security measures add up. For example, use updated security software that offers firewalls, virus and malware protection and file encryption. Be stingy with personal information, giving it out only over encrypted websites with “https” in the web address. Also back up computer files regularly and use strong passwords (with a combination of capital and lowercase letters, numbers and symbols).
- Avoid phishing and malware scams. Be leery of emails you receive from unknown sources. Never open attachments unless you trust the sender and know what’s being sent. Don’t install software from unfamiliar websites or disable pop-up blockers.
- Protect personal information. Treat personal information like cash. Don’t carry around your Social Security card in your wallet or purse. Be careful what you share on social media — identity thieves can exploit information about new car or home purchases, past addresses, vacations and even your children and grandchildren. Keep old tax returns in a safe location and shred them before trashing.
- Watch out for scammers who impersonate IRS agents. IRS impersonators typically demand payment and threaten to arrest victims who fail to ante up. The Federal Trade Commission recently issued an alert about police raids on illegal telemarketing operations in India that led to the indictment of dozens of IRS impersonators. Remember: The IRS will never call to demand immediate payment, nor will they call about taxes you owe without first mailing you a bill.
Another simple way to prevent someone from filing a fraudulent return is simply to file your return as soon as possible. The IRS begins processing tax returns on January 23. If you file a tax return before would-be fraudsters do, their refund claims are more likely to be rejected for filing under a duplicate Social Security number.
Join the Fight
The deadline for filing your 2016 return is fast approaching. The IRS expects more than 70% of taxpayers to receive a refund for 2016, and it’s on high alert for refund fraud and other tax-related identity theft schemes. You can help the IRS in its efforts to fight tax fraud by watching for these warning signs and safeguarding your personal and financial information.
Additional resources for business accounting tips are available here
The Southbourne Tax Group: Educational Tax Tips
I’m sure growing up you heard your parents say that education was the key to success. Whether that meant going to college, vocational school or having an internship or apprenticeship, education was always the answer for good, stable futures. However, schooling at all levels can be rather expensive. There’s crayons, pencils and notebooks to buy, new clothes to buy, tuition to pay for, paying for room and board and even meal plans. It can be quite expensive and adds up really quick, but surprisingly enough, there are tax benefits for knowledge! So to add to your knowledge are some tax tips to keep in mind. As they say, knowledge is power…and at times financially beneficial!
First and foremost is the easiest tip that probably everyone knows about; tax free weekend. In Virginia, this year (2016) tax free weekend was August 5 through August 7. It’s a three-day event where there is no sales tax on qualified items such as most school supplies, clothing and shoes, and even things like first aid kits and batteries. It’s a nice little perk, and tax break, to help parents load up on much needed school supplies and that’s only the beginning!
Did you know there is a tax credit where before and after school care can be deducted for children under thirteen? Babysitters, summer camp or other care providers may qualify for the tax credit of up to 35 percent of qualifying expenses of $3,000 for one child or up to $6,000 for two or more dependents. The tax credit was designed to help working parents with some of the expenses involved with raising children and the credit helps reduce the amount of federal income tax, which can then increase a taxpayer’s refund.
Educational saving plans, such as 529 plans, are also something designed to help parents have some extra funds for education in terms of college and university. These plans are specifically geared towards education and are not federally taxable. Further, withdraws from the account are not taxable as long as the money is used for college expenses such as textbooks, computer, calculators, etc.
Even with something like a 529 plan, sometimes further assistance by way of student loans is necessary. There’s not much to be excited about where student loans exist, but there is a slight silver lining to them. For instance, when filing your taxes, make sure you list the interest you’ve paid on the loan because up to $2,500 can be deducted within a given year. Yippee!
If you do have a student loan, you should receive a 1098T, and it’ll let you know the amount of interest you’ve paid. This nifty little form is also helpful for the American Opportunity Tax Credit (AOTC). This can amount to $2,500 in tax credits and up to 40 percent of the credit is refundable. This is available for the first four years of post-secondary education (vocational school, college and graduate school) and eligible expenses include tuition, books and required supplies, not room and board. AOTC is intended to help offset college expenses but keep in mind there’s an income limit attached to this credit.
We just wanted to give our beloved clients a heads up on some options they may have when it comes to their children’s education, or if they themselves are thinking about further education. While education can be spendy at times, but we try to help lessen the stress of it if when we can!
Additional resources for business accounting tips are available here.
The Southbourne Tax Group: Stopping tax identity theft - Practical advice for CPAs and clients
Tax return and other tax-related identity theft is a growing problem that CPAs can help their clients with—both in taking preventive actions and in correcting problems after an identity thief has struck. Tax return identity theft occurs when someone uses a taxpayer’s personal information, such as name and Social Security number (SSN), without permission to commit fraud on tax returns to claim refunds or other credits to which a taxpayer is not entitled, or for other crimes.
Thieves normally file early in the tax-filing season, often before the IRS has received Forms W-2 or 1099, to thwart information matching and avoid receiving duplicate return notices from the IRS. Taxpayers sometimes discover they are victims of identity theft when they receive a notice from the IRS stating that “more than one tax return was filed with their information or that IRS records show wages from an employer the taxpayer has not worked for in the past” (FS-2012-7 (January 2012)).
In 2011, the IRS processed about 145 million returns. About 109 million were claims for refunds, with an average refund amount of almost $3,000. As of May 16, 2012, the IRS had pulled 2.6 million returns for possible identity theft, and that trend is on the increase. The IRS recently reported an inventory of more than 450,000 identity theft cases. For the 2011 filing season, the Treasury Inspector General for Tax Administration (TIGTA) estimated that identity-theft-related fraud accounted for approximately 1.5 million tax returns in excess of $5.2 billion.
CONSEQUENCES OF IDENTITY THEFT
Tax return identity theft delays legitimate taxpayer refunds because the return appears to be a duplicate return and may be a sign of other fraud or identity theft problems. IRS support to solve traditional and nonfraud problems may be delayed as well when IRS resources are diverted to combat identity theft. Other tax-related identity theft can cause problems for the taxpayer as well. If an individual fraudulently used a taxpayer’s SSN to get a job, the taxpayer may have extra W-2 wages erroneously reported (and perhaps also extra taxes withheld), leading to a correspondence matching audit. The National Taxpayer Advocate notes that time and money are spent to clear the individuals’ names, during which “victims may lose job opportunities, may be refused loans, education, housing or cars, or even get arrested for crimes they didn’t commit” (IRS Publication 4535, Identity Theft Prevention and Victim Assistance).
Further, until recently, the IRS would hold suspicious refunds while verifying the underlying W-2 information, for up to 11 weeks. With the increase in the number of cases and budget limitations, refunds may take longer. So, the IRS says, “[I]dentity theft can impose a significant burden on its victims, whose legitimate refund claims are blocked and who often must spend months or longer trying to convince the IRS that they are, in fact, victims and then working with the IRS to untangle their account problems” (IR-2012-66).
A typical identity theft starts when thieves have (illegally) bought or stolen information from individuals, employers, hospitals, or nursing homes or have used the public list of deaths with SSNs issued by the Social Security Administration. With a number or list of numbers, they file false tax returns for refunds. For example, investigators found a single address that was used to file 2,137 tax returns for $3.3 million in refunds (see TIGTA Rep’t No. 2012-42-80). Most thieves prefer to receive the refund using direct deposit or prepaid debit cards. In another example, 590 tax refunds totaling more than $900,000 were deposited into a single bank account. Although banks have strict rules to verify the identity of account holders, they don’t have the ability to monitor whether the direct deposit is for a legitimate refund.
Although the IRS planned to spend about $330 million in 2012 to combat identity theft, the IRS has limited resources and needs additional funding to combat this problem. Identity theft also happens to tax systems in other countries, but the extent of the problem is lessened in countries where the government can immediately (or in “real-time”) match income and withholding with the tax return. IRS Commissioner Douglas Shulman called for real-time matching in his prepared remarks at the AICPA Fall 2011 National Tax Conference for the purpose of reducing the number of taxpayer audits, but such a system should help reduce identity theft fraudulent tax returns as well (IR-2011-108).
IDENTITY THEFT IN THE MAKING: HOW ID IS STOLEN
Common ways to obtain personal information include email or telephone phishing and Dumpster diving. Thieves are looking for “discarded tax returns, bank records, credit card receipts or other records containing personal and financial information” (FS-2008-9 (January 2008)). For example, some taxpayers receive email messages allegedly from the IRS advising them that they are under investigation or have a refund pending. To get the victim to respond, the email may threaten a dire consequence (see Exhibit 1 for a typical phishing message). Often, the recipient is asked to click on a link to access what appears to be—but is not—the legitimate IRS website.
The IRS does not send unsolicited, tax-account related emails to taxpayers and never asks for personal and financial information, including PINs and passwords, via email. The IRS advises that “[s]ince the IRS rarely contacts taxpayers via e-mail, and never about their tax accounts, taxpayers should be cautious about any e-mails that claim to come from the IRS” (FS-2008-9). (People receiving a suspicious email from the IRS are encouraged to report the email by calling the IRS at 800-829-1040 or forwarding the email to phishing irs; note in Exhibit 1 how the email uses “irs.org” not “irs.gov.”)
IDENTITY THEFT DETECTION: HOW IDENTITY THEFT IS CAUGHT
The IRS has several filters that address different issues. These filters are designed to distinguish legitimate returns from fraudulent ones and to prevent the recurrence of identity theft. If a tax return is caught by a filter, it is manually reviewed to validate the taxpayer’s identity. If the IRS identifies a suspicious return, it corresponds with the taxpayer to verify the correct information. Alternatively, if a second, unauthorized person is using the taxpayer’s SSN, the taxpayer may receive a correspondence audit notice informing the taxpayer that he or she failed to report income from another (erroneous) employer.
When a taxpayer’s identity has been stolen, the legitimate taxpayer may be issued a confidential identity protection PIN (IP PIN) that identifies the taxpayer as the legitimate party using the SSN and other identifying information. The IRS issues these numbers to taxpayers who have reported that their identities have been stolen, verified their identities, and had an identity theft indicator applied to their accounts. Not all victims of identity theft will receive an IP PIN—the IRS says that taxpayers who submitted Form 14039, Identity Theft Affidavit, and proper documentation or taxpayers whom the IRS has itself identified as victims will receive them. During the 2012 filing season, the IRS issued 250,000 IP PINs, up from about 54,000 the year before. Once the IP PIN has been issued, it must be present and correct on the specific tax return for which it was issued. For the 2012 tax year, the six-digit IP PIN is inserted at the bottom of page 2 of Form 1040, to the right of the taxpayers’ signatures.
If two taxpayers are married filing jointly and each taxpayer receives an IP PIN, the couple should use the IP PIN of the SSN that appears first on the tax return. Tax preparation software is generally equipped to ask taxpayers if they received an IP PIN. If a taxpayer is filing a printed copy of the return, however, this number will not print, and should be handwritten in the space provided. A request for an extension or installment agreement using an IP PIN must be made on paper, but the tax return may still be filed electronically.
A new IP PIN is issued every subsequent year as long as the theft indicator remains on the legitimate taxpayer’s account. Returns with an IP PIN are processed more efficiently, in that they bypass the regular filtering system, and the IP PIN prevents fraudulent returns from being processed. The IRS began a pilot program in 2010 to mark the accounts of deceased taxpayers to prevent misuse by identity thieves.
IDENTITY THEFT CORRECTIVE ACTIONS: WHAT TO DO IF AN IDENTITY IS STOLEN
As trusted financial advisers, CPAs may be asked what to do if a client’s identity is stolen. The CPA should consider advising or helping the client with several steps:
1.For tax and nontax identity theft, report the theft to the Federal Trade Commission at 877-438-4338 or TTY 866-653-4261.
2.File a report with the local police.
3.Close any affected bank and credit card accounts.
4.Inform the credit bureaus and consider putting a credit freeze on the accounts. A credit freeze restricts access to credit reports, making it unlikely that thieves can open new accounts in the client’s name. Credit freeze laws vary from state to state.
5.If personal information is lost or stolen during the year, contact the IRS Identity Protection Specialized Unit at 800-908-4490, and complete Form 14039, if necessary. Expect to be patient, though. The National Taxpayer Advocate noted in her semiannual report that “this unit has been unable to answer about two out of every three calls it has received from taxpayers so far this year. At times during the filing season, it was answering only about one out of every nine calls it received—and those who managed to get through waited an average of over an hour to speak with an employee.”
6.Respond to all IRS notices immediately, using the name and number printed on the notice.
7.Tax preparers should ask their clients if they received an IP PIN.
IDENTITY THEFT PREVENTION TECHNIQUES
Since identity theft is so prevalent and growing, a CPA may consider providing general preventive advice through newsletters, websites, and other communications. This advice may include:
1.Have clients arrange for masked SSNs where possible, e.g., on insurance cards, so that client SSNs are closely protected and circulated as little as possible.
2.Watch credit reports from the three major credit bureaus; consider offering this as an off-season service or adding a timely reminder with contact information to the firm newsletter. (Contact details for the fraud departments of the three major credit bureaus are: Equifax – 800-525-6285; Experian – 888-397-3742; and TransUnion – 800-680-7289.)
3.Advise clients to forward all information appearing to be from the IRS promptly and to not click on links or open attachments from emails claiming to be from the IRS.
4.Advise clients to safeguard their Social Security cards, store them in a safe and secure location, and not discard any documents with an SSN on them.
5.Advise clients to resist giving businesses an SSN or other personal information just because they ask for it; often it is not required, and dissemination of SSN information is risky.
6.Advise clients to protect financial information by investing in and using a shredder before discarding documents.
7.A taxpayer should secure personal information in one’s own home. For example, copies of tax returns can be kept in a locked file cabinet or safe.
8.Taxpayers should protect personal computers by using firewalls and anti-spam or anti-virus software, updating security patches, and regularly changing passwords for internet accounts with sensitive information, such as online banking sites.
CPAs may be able to take additional preventive steps for tax returns, where the client is cooperative:
1.File clients’ returns early if possible.
2.E-file returns to be notified of duplicate return notices more quickly.
3.Consider truncating or masking SSNs on Forms 1098, 1099, and 5498 consistent with Notice 2011-38.
4.Communicate with the client to change client expectations: Refunds might take longer in future years as additional system security steps are taken.
5.Finally, CPAs with new online clients should be very careful to confirm the identity of those new clients, so that an identity thief cannot trade on an unwitting CPA’s credibility in filing false returns.
CPAs can find additional information at:
- IRS website, and
- IRS resources including the Taxpayer Guide to Identity Theft page, or the Identity Protection page.
Additional resources for business accounting tips are available here.
The Southbourne Tax Group: Fraud prevention – 2017 predictions
Challenges and Opportunities
The Paypers has invited various thought leaders to share their views on 2017 predictions regarding security threats and fraud management solutions
Monica Eaton-Cardone, Global Risk Technologies: Criminal fraud, in the form of unauthorised transactions, will remain an ever-present threat
Criminal fraud, in the form of unauthorised transactions, will remain an ever-present threat. Fortunately, though, technologies have made it easier to mitigate this type of fraud. The threat will continue, but it is a manageable concern. Conversely, another type of fraud continues to go unmitigated. Friendly fraud, which is unwarranted or illegitimate chargebacks, is growing at an alarming rate—as much as 50% annually in certain regions and industries. To date, this threat has remained relatively unmitigated.
Fortunately, we are identifying new techniques that are proven effective at preventing illegitimate chargebacks and recovering unnecessary revenue loss. First, merchants need to identify the cause of each chargeback. Identifying the source of a problem is the only way to effectively mitigate it—otherwise, solutions merely address the symptoms. Technologies like Chargebacks911’s Intelligent Source Detection make this possible. Second, once merchants have identified the chargeback sources, they need to dispute known cases of friendly fraud. Disputing illegitimate chargebacks effectively challenges faulty consumer behaviours.
Lastly, the industry needs standardisation and compliance. Programmes piloted by schemes to address these concerns are apt to provide good feedback. Without more attention on identifying the underlying source of this growing problem, consumer expectations will threaten sustainable growth industry-wide.
Jason Tan, Sift Science: Stolen identities or accounts are attractive to fraudsters because they offer a richer form of data than simple payment details
While companies are making strides in fighting payment fraud, there are still some worrying gaps when it comes to combating the new frontier of fraud, account takeover (ATO). Nearly half (48%) of respondents to the Sift Science Fraud-Fighting Trends 2017 survey reported that they saw a rise in ATO last year. And with large-scale data breaches showing no sign of slowing down, there should be plenty of fodder floating around on the dark web for criminals to use in their attacks.
Stolen identities or accounts are attractive to fraudsters because they offer a richer form of data than simple payment details. Non-payment data like login information, birth dates, social security numbers, and security questions can be used to create more accounts, make purchases, or even sign up for new credit cards.
From the standpoint of a merchant or financial institution, ATO is particularly concerning since these fraudsters may take the guise of some of your most trusted customers. However, machine learning and behavioral analysis can help unearth the subtle nuances that separate a real, valuable user from an imposter – so you can stay ahead of the game.
Luke Reynolds, Featurespace: It’s time to embrace machine learning to identify new fraud attacks as they occur while protecting your customers and revenue
Do not treat your customers like criminals. That is the big differentiator for banks and payment processors that want to get ahead. Criminals are advancing faster than existing fraud systems can cope with. Machine learning and advanced anomaly detection are the answer to preventing new fraud attacks, while accepting ‘good’ business from genuine customers.
One type of fraud attack increasing within financial services is Authorisation Stream attacks, where criminals manipulate the standard authorisation message, impacting payment processors upstream of where fraud systems usually spot an attack at transaction stage.
Social Engineering attacks on the elderly and vulnerable are also an increasing threat – where genuine banking customers are manipulated via phone by a criminal impersonating the bank.
Financial Services organisations are typically already capturing data needed to protect customers from these attacks. However, to do so, organisations need to be identifying anomalies accurately and efficiently at the level of accounts, merchants, cardholders and locations.
The good news? Machine learning systems – which use adaptive behavioural analytics to monitor individuals in real-time and detect anomalies – enable organisations to understand behaviour across their customer base. It’s time to embrace machine learning to identify new fraud attacks as they occur, while protecting your customers and revenue.
John Karantzis, iSignthis: The convergence of 4AMLD and PSD2 can lead to proactive solutions that mitigate fraud
Are companies ready for even more sophisticated fraud attacks? Unfortunately, it appears not, as card fraud has continued to rise around the world, with fraudsters becoming more sophisticated and harder to catch than ever.
In 2015, we saw more than USD 16.31 bln lost to card fraud globally, with a significant proportion of this being within SEPA. Whilst more and more predictive or risk-based solutions are released to the market each year to protect businesses from fraud, the fraud statistics are not decreasing.
Clearly, relying on risk-based assessment or predictive systems such as ReD, Kount, Cybersource, are proving to be less and less effective, and often lead to false positives or false negatives.
In response, regulators have introduced the Payment Services Directive 2 (PSD2), which incorporates a requirement for ‘Strong Customer Authentication’ (SCA) for every payment transaction. SCA however, relies upon Knowing Your Customer, which for transactions originating outside of SEPA can be extremely challenging. The strengthening of the transparency rules regarding identity has been introduced to tackle terrorism financing, tax avoidance and money laundering, which in turn will also address the adjacent issue of card not present (CNP) fraud. The convergence of 4AMLD and PSD2 can lead to proactive solutions that mitigate fraud, which in turn increases merchant’s confidence to pursue exporting and revenues from outside the SEPA.
The iSignthis Paydentity solution adds a layer of proactive defence for merchants against sophisticated CNP attacks, in addition to providing a basis for compliance for the 4AMLD and PSD2.
Additional resources for business accounting tips are available here
